diff --git a/.dockerignore b/.dockerignore index dfcb9cbf2..cb9ee6224 100644 --- a/.dockerignore +++ b/.dockerignore @@ -2,11 +2,11 @@ **/*.crt **/*.iso **/*.key +**/*.env **/*.pem **/*.keystore **/.git* **/__pycache__ -**/auth.env **/.ldap_config_defaults **/htpasswd **/malcolm_*images.tar.gz @@ -17,6 +17,7 @@ .configured .trigger_workflow_build .tmp +config.* docker-compose*yml Dockerfiles Gemfile.lock @@ -24,15 +25,18 @@ opensearch opensearch-backup arkime-logs arkime-raw +kubernetes malcolm-iso sensor-iso -nginx/nginx_ldap.conf +nginx/nginx_ldap*.conf pcap _site scripts !scripts/malcolm_common.py +!scripts/malcolm_kubernetes.py +!scripts/malcolm_utils.py zeek-logs suricata-logs netbox/netbox/media netbox/netbox/postgres -netbox/netbox/redis \ No newline at end of file +netbox/netbox/redis diff --git a/.github/workflows/api-build-and-push-ghcr.yml b/.github/workflows/api-build-and-push-ghcr.yml index 20c86a2dd..939007b3b 100644 --- a/.github/workflows/api-build-and-push-ghcr.yml +++ b/.github/workflows/api-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'api/**' - 'Dockerfiles/api.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml index 120e014b3..32016cab4 100644 --- a/.github/workflows/arkime-build-and-push-ghcr.yml +++ b/.github/workflows/arkime-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'arkime/**' - 'Dockerfiles/arkime.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/dashboards-build-and-push-ghcr.yml b/.github/workflows/dashboards-build-and-push-ghcr.yml index 442da4eef..1452ed146 100644 --- a/.github/workflows/dashboards-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'dashboards/**' - 'Dockerfiles/dashboards.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml index aeaf743fb..7f8bf5804 100644 --- a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'dashboards/**' - 'Dockerfiles/dashboards-helper.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/file-monitor-build-and-push-ghcr.yml b/.github/workflows/file-monitor-build-and-push-ghcr.yml index 37af5c097..bafd62550 100644 --- a/.github/workflows/file-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/file-monitor-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'file-monitor/**' - 'Dockerfiles/file-monitor.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/file-upload-build-and-push-ghcr.yml b/.github/workflows/file-upload-build-and-push-ghcr.yml index b457b86ee..f1a5b3113 100644 --- a/.github/workflows/file-upload-build-and-push-ghcr.yml +++ b/.github/workflows/file-upload-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'file-upload/**' - 'Dockerfiles/file-upload.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/filebeat-build-and-push-ghcr.yml b/.github/workflows/filebeat-build-and-push-ghcr.yml index bb744d177..e52a73691 100644 --- a/.github/workflows/filebeat-build-and-push-ghcr.yml +++ b/.github/workflows/filebeat-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'filebeat/**' - 'Dockerfiles/filebeat.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/freq-build-and-push-ghcr.yml b/.github/workflows/freq-build-and-push-ghcr.yml index 12281f7a9..84a3254e0 100644 --- a/.github/workflows/freq-build-and-push-ghcr.yml +++ b/.github/workflows/freq-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'freq-server/**' - 'Dockerfiles/freq.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/htadmin-build-and-push-ghcr.yml b/.github/workflows/htadmin-build-and-push-ghcr.yml index 3af590976..eff564dee 100644 --- a/.github/workflows/htadmin-build-and-push-ghcr.yml +++ b/.github/workflows/htadmin-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'htadmin/**' - 'Dockerfiles/htadmin.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/logstash-build-and-push-ghcr.yml b/.github/workflows/logstash-build-and-push-ghcr.yml index a8d69eb27..6e8ed88cd 100644 --- a/.github/workflows/logstash-build-and-push-ghcr.yml +++ b/.github/workflows/logstash-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'logstash/**' - 'Dockerfiles/logstash.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml index c95a3ffd3..fc9a44507 100644 --- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -5,7 +5,6 @@ on: branches: - main - development - - kubernetes paths: - 'malcolm-iso/**' - 'shared/bin/*' diff --git a/.github/workflows/name-map-ui-build-and-push-ghcr.yml b/.github/workflows/name-map-ui-build-and-push-ghcr.yml deleted file mode 100644 index 0d9982356..000000000 --- a/.github/workflows/name-map-ui-build-and-push-ghcr.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: name-map-ui-build-and-push-ghcr - -on: - push: - branches: - - main - - development - - kubernetes - paths: - - 'name-map-ui/**' - - 'Dockerfiles/name-map-ui.Dockerfile' - - 'shared/bin/*' - - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - - '.trigger_workflow_build' - workflow_dispatch: - repository_dispatch: - -jobs: - docker: - runs-on: ubuntu-22.04 - permissions: - actions: write - packages: write - contents: read - steps: - - - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 - with: - ignore_sha: true - all_but_latest: true - access_token: ${{ secrets.GITHUB_TOKEN }} - - - name: Checkout - uses: actions/checkout@v3 - - - name: Extract branch name - shell: bash - run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT - id: extract_branch - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - with: - driver-opts: | - image=moby/buildkit:master - - - name: Log in to registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push - uses: docker/build-push-action@v3 - with: - context: . - file: ./Dockerfiles/name-map-ui.Dockerfile - push: true - tags: ghcr.io/${{ github.repository_owner }}/malcolm/name-map-ui:${{ steps.extract_branch.outputs.branch }} diff --git a/.github/workflows/netbox-build-and-push-ghcr.yml b/.github/workflows/netbox-build-and-push-ghcr.yml index cbb2fa980..a8ecbc443 100644 --- a/.github/workflows/netbox-build-and-push-ghcr.yml +++ b/.github/workflows/netbox-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'netbox/**' - 'Dockerfiles/netbox.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/nginx-build-and-push-ghcr.yml b/.github/workflows/nginx-build-and-push-ghcr.yml index 77e379f70..4489ce37a 100644 --- a/.github/workflows/nginx-build-and-push-ghcr.yml +++ b/.github/workflows/nginx-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'nginx/**' - 'Dockerfiles/nginx.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/opensearch-build-and-push-ghcr.yml b/.github/workflows/opensearch-build-and-push-ghcr.yml index 177c8d1e1..c6faee5d6 100644 --- a/.github/workflows/opensearch-build-and-push-ghcr.yml +++ b/.github/workflows/opensearch-build-and-push-ghcr.yml @@ -5,10 +5,12 @@ on: branches: - main - development - - kubernetes paths: - 'Dockerfiles/opensearch.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/pcap-capture-build-and-push-ghcr.yml b/.github/workflows/pcap-capture-build-and-push-ghcr.yml index 2d4dc0c6e..057d4cfc9 100644 --- a/.github/workflows/pcap-capture-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-capture-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'pcap-capture/**' - 'Dockerfiles/pcap-capture.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml index 14d37084e..6a69b2bad 100644 --- a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'pcap-monitor/**' - 'Dockerfiles/pcap-monitor.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/postgresql-build-and-push-ghcr.yml b/.github/workflows/postgresql-build-and-push-ghcr.yml index 6326f9fbc..703730e6d 100644 --- a/.github/workflows/postgresql-build-and-push-ghcr.yml +++ b/.github/workflows/postgresql-build-and-push-ghcr.yml @@ -5,10 +5,12 @@ on: branches: - main - development - - kubernetes paths: - 'Dockerfiles/postgresql.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/redis-build-and-push-ghcr.yml b/.github/workflows/redis-build-and-push-ghcr.yml index 29796936d..ed496a575 100644 --- a/.github/workflows/redis-build-and-push-ghcr.yml +++ b/.github/workflows/redis-build-and-push-ghcr.yml @@ -5,10 +5,12 @@ on: branches: - main - development - - kubernetes paths: - 'Dockerfiles/redis.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml index fd9499911..af40ba3f8 100644 --- a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml @@ -5,7 +5,6 @@ on: branches: - main - development - - kubernetes paths: - 'sensor-iso/**' - 'shared/bin/*' @@ -92,6 +91,7 @@ jobs: name: Build image run: | cp -r ./shared ./docs ./_config.yml ./_includes ./_layouts ./Gemfile ./README.md ./sensor-iso + cp ./scripts/malcolm_utils.py ./sensor-iso/shared/bin/ cp ./scripts/documentation_build.sh ./sensor-iso/docs/ cp -r ./arkime/patch ./sensor-iso/shared/arkime_patch pushd ./sensor-iso diff --git a/.github/workflows/suricata-build-and-push-ghcr.yml b/.github/workflows/suricata-build-and-push-ghcr.yml index 8086860d8..764a2737f 100644 --- a/.github/workflows/suricata-build-and-push-ghcr.yml +++ b/.github/workflows/suricata-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'suricata/**' - 'Dockerfiles/suricata.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml index 8dbebdb59..a48fe1e7c 100644 --- a/.github/workflows/zeek-build-and-push-ghcr.yml +++ b/.github/workflows/zeek-build-and-push-ghcr.yml @@ -5,11 +5,13 @@ on: branches: - main - development - - kubernetes paths: - 'zeek/**' - 'Dockerfiles/zeek.Dockerfile' - 'shared/bin/*' + - '!shared/bin/agg-init.sh' + - '!shared/bin/common-init.sh' + - '!shared/bin/sensor-init.sh' - '!shared/bin/configure-interfaces.py' - '!shared/bin/configure-capture.py' - '.trigger_workflow_build' diff --git a/.gitignore b/.gitignore index 4ce70a661..c803ce8be 100644 --- a/.gitignore +++ b/.gitignore @@ -7,19 +7,22 @@ # auth-related /.ldap_config_defaults /auth.env +/config/*.env /.opensearch*.curlrc /logstash/certs /filebeat/certs /nginx/certs /nginx/ca-trust /nginx/htpasswd -/nginx/nginx_ldap.conf +/nginx/nginx_ldap*.conf /htadmin/config.ini /htadmin/metadata +*.keystore # runtime .tmp .configured +config.*/ # development .envrc @@ -44,3 +47,4 @@ __pycache__/ __pypackages__/ *.py[cod] *$py.class +.DS_Store diff --git a/.trigger_workflow_build b/.trigger_workflow_build index c69b966fd..ee028e549 100644 --- a/.trigger_workflow_build +++ b/.trigger_workflow_build @@ -1,2 +1,2 @@ # this file exists solely for the purpose of being updated and seen by github to trigger a commit build action -2 +6 diff --git a/Dockerfiles/api.Dockerfile b/Dockerfiles/api.Dockerfile index 60c7c98bb..4018b2931 100644 --- a/Dockerfiles/api.Dockerfile +++ b/Dockerfiles/api.Dockerfile @@ -12,11 +12,11 @@ RUN apt-get update -q \ && python3 -m pip install flake8 COPY ./api /usr/src/app/ -COPY scripts/malcolm_common.py /usr/src/app/ +COPY scripts/malcolm_utils.py /usr/src/app/ WORKDIR /usr/src/app RUN python3 -m pip wheel --no-cache-dir --no-deps --wheel-dir /usr/src/app/wheels -r requirements.txt \ - && flake8 --ignore=E501,F401,W503 + && flake8 --ignore=E203,E501,F401,W503 FROM python:3-slim @@ -70,16 +70,18 @@ WORKDIR "${APP_HOME}" COPY --from=builder /usr/src/app/wheels /wheels COPY --from=builder /usr/src/app/requirements.txt . COPY ./api "${APP_HOME}" -COPY scripts/malcolm_common.py "${APP_HOME}"/ +COPY scripts/malcolm_utils.py "${APP_HOME}"/ COPY shared/bin/opensearch_status.sh "${APP_HOME}"/ -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic + RUN apt-get -q update \ && apt-get -y -q --no-install-recommends upgrade \ && apt-get -y -q --no-install-recommends install curl netcat rsync tini \ && python3 -m pip install --upgrade pip \ && python3 -m pip install --no-cache /wheels/* \ - && chmod 755 /usr/local/bin/docker-uid-gid-setup.sh \ && groupadd --gid ${DEFAULT_GID} ${PGROUP} \ && useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} --home "${HOME}" ${PUSER} \ && chown -R ${PUSER}:${PGROUP} "${HOME}" \ @@ -89,7 +91,12 @@ RUN apt-get -q update \ EXPOSE 5000 -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "${APP_HOME}/entrypoint.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "api", \ + "/malcolm/api/entrypoint.sh"] # to be populated at build-time: ARG BUILD_DATE diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index 33e03b7c2..99a1fd88f 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -4,7 +4,7 @@ FROM debian:11-slim AS build ENV DEBIAN_FRONTEND noninteractive -ENV ARKIME_VERSION "v4.2.0" +ENV ARKIME_VERSION "v4.3.0" ENV ARKIME_DIR "/opt/arkime" ENV ARKIME_URL "https://github.com/arkime/arkime.git" ENV ARKIME_LOCALELASTICSEARCH no @@ -45,7 +45,6 @@ RUN apt-get -q update && \ python3-pip \ python3-setuptools \ python3-wheel \ - rsync \ sudo \ swig \ wget \ @@ -90,6 +89,7 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "arkime" ENV PGROUP "arkime" ENV PUSER_PRIV_DROP true +ENV PUSER_RLIMIT_UNLOCK true ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -101,14 +101,14 @@ ARG ARKIME_ECS_PROVIDER=arkime ARG ARKIME_ECS_DATASET=session ARG ARKIME_INTERFACE=eth0 ARG ARKIME_ANALYZE_PCAP_THREADS=1 -ARG WISE=off +ARG OPENSEARCH_MAX_SHARDS_PER_NODE=2500 +ARG WISE=on ARG VIEWER=on #Whether or not Arkime is in charge of deleting old PCAP files to reclaim space ARG MANAGE_PCAP_FILES=false #Whether or not to auto-tag logs based on filename ARG AUTO_TAG=true -ARG PCAP_PIPELINE_DEBUG=false -ARG PCAP_PIPELINE_DEBUG_EXTRA=false +ARG PCAP_PIPELINE_VERBOSITY="" ARG PCAP_MONITOR_HOST=pcap-monitor ARG MAXMIND_GEOIP_DB_LICENSE_KEY="" @@ -123,12 +123,12 @@ ENV ARKIME_ECS_PROVIDER $ARKIME_ECS_PROVIDER ENV ARKIME_ECS_DATASET $ARKIME_ECS_DATASET ENV ARKIME_DIR "/opt/arkime" ENV ARKIME_ANALYZE_PCAP_THREADS $ARKIME_ANALYZE_PCAP_THREADS +ENV OPENSEARCH_MAX_SHARDS_PER_NODE $OPENSEARCH_MAX_SHARDS_PER_NODE ENV WISE $WISE ENV VIEWER $VIEWER ENV MANAGE_PCAP_FILES $MANAGE_PCAP_FILES ENV AUTO_TAG $AUTO_TAG -ENV PCAP_PIPELINE_DEBUG $PCAP_PIPELINE_DEBUG -ENV PCAP_PIPELINE_DEBUG_EXTRA $PCAP_PIPELINE_DEBUG_EXTRA +ENV PCAP_PIPELINE_VERBOSITY $PCAP_PIPELINE_VERBOSITY ENV PCAP_MONITOR_HOST $PCAP_MONITOR_HOST COPY --from=build $ARKIME_DIR $ARKIME_DIR @@ -141,6 +141,7 @@ RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.l file \ geoip-bin \ gettext \ + inotify-tools \ jq \ libcap2-bin \ libjson-perl \ @@ -160,13 +161,14 @@ RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.l python3-setuptools \ python3-wheel \ rename \ + rsync \ sudo \ supervisor \ vim-tiny \ wget \ tini \ tar gzip unzip cpio bzip2 lzma xz-utils p7zip-full unrar zlib1g && \ - pip3 install --no-cache-dir beautifulsoup4 pyzmq && \ + pip3 install --no-cache-dir beautifulsoup4 pyzmq watchdog && \ ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \ ln -sfr $ARKIME_DIR/bin/node /usr/local/bin/node && \ ln -sfr $ARKIME_DIR/bin/npx /usr/local/bin/npx && \ @@ -176,11 +178,14 @@ RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.l rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* # add configuration and scripts -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic ADD arkime/scripts /opt/ ADD shared/bin/pcap_processor.py /opt/ ADD shared/bin/pcap_utils.py /opt/ -ADD scripts/malcolm_common.py /opt/ +ADD scripts/malcolm_utils.py /opt/ +ADD shared/bin/watch_common.py /opt/ ADD shared/bin/opensearch_status.sh /opt/ ADD shared/bin/self_signed_key_gen.sh /usr/local/bin/ ADD arkime/etc $ARKIME_DIR/etc/ @@ -219,7 +224,12 @@ ENV PATH="/opt:$ARKIME_DIR/bin:${PATH}" EXPOSE 8000 8005 8081 WORKDIR $ARKIME_DIR -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/opt/docker_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "arkime", \ + "/opt/docker_entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile index 2b070b928..73a410f0e 100644 --- a/Dockerfiles/dashboards-helper.Dockerfile +++ b/Dockerfiles/dashboards-helper.Dockerfile @@ -47,10 +47,10 @@ ENV DASHBOARDS_URL $DASHBOARDS_URL ENV DASHBOARDS_DARKMODE $DASHBOARDS_DARKMODE ENV PATH="/data:${PATH}" -ENV SUPERCRONIC_VERSION "0.2.2" +ENV SUPERCRONIC_VERSION "0.2.24" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "2319da694833c7a147976b8e5f337cd83397d6be" +ENV SUPERCRONIC_SHA1SUM "6817299e04457e5d6ec4809c72ee13a43e95ba41" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV ECS_RELEASES_URL "https://api.github.com/repos/elastic/ecs/releases/latest" @@ -63,11 +63,13 @@ ADD dashboards/maps /opt/maps ADD dashboards/scripts /data/ ADD dashboards/supervisord.conf /etc/supervisord.conf ADD dashboards/templates /opt/templates -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ -ADD shared/bin/opensearch_status.sh /data/ -ADD shared/bin/opensearch_index_size_prune.py /data/ -ADD shared/bin/opensearch_read_only.py /data/ -ADD scripts/malcolm_common.py /data/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic +COPY --chmod=755 shared/bin/opensearch_status.sh /data/ +COPY --chmod=755 shared/bin/opensearch_index_size_prune.py /data/ +COPY --chmod=755 shared/bin/opensearch_read_only.py /data/ +ADD scripts/malcolm_utils.py /data/ RUN apk update --no-cache && \ apk upgrade --no-cache && \ @@ -100,7 +102,11 @@ RUN apk update --no-cache && \ EXPOSE $OFFLINE_REGION_MAPS_PORT -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] +ENTRYPOINT ["/sbin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "dashboards-helper"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile index 31777e95e..c6ccfcb93 100644 --- a/Dockerfiles/dashboards.Dockerfile +++ b/Dockerfiles/dashboards.Dockerfile @@ -90,7 +90,7 @@ ENV PUSER_PRIV_DROP true ENV TERM xterm ENV TINI_VERSION v0.19.0 -ENV OSD_TRANSFORM_VIS_VERSION 2.5.0 +ENV OSD_TRANSFORM_VIS_VERSION 2.6.0 ARG OPENSEARCH_URL="http://opensearch:9200" ARG OPENSEARCH_LOCAL="true" @@ -122,8 +122,7 @@ RUN yum upgrade -y && \ /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards --allow-root && \ cd /usr/share/opensearch-dashboards/plugins && \ /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install file:///tmp/kbnSankeyVis.zip --allow-root && \ - # TODO: when 2.6.0 is released /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install https://github.com/lguillaud/osd_transform_vis/releases/download/$OSD_TRANSFORM_VIS_VERSION/transformVis-$OSD_TRANSFORM_VIS_VERSION.zip --allow-root && \ - # trying to see if things still work if these are owned by root (to avoid a costly chown on container startup) + /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install https://github.com/lguillaud/osd_transform_vis/releases/download/$OSD_TRANSFORM_VIS_VERSION/transformVis-$OSD_TRANSFORM_VIS_VERSION.zip --allow-root && \ chown --silent -R root:root /usr/share/opensearch-dashboards/plugins/* \ /usr/share/opensearch-dashboards/node_modules/* \ /usr/share/opensearch-dashboards/src/* && \ @@ -131,10 +130,13 @@ RUN yum upgrade -y && \ yum clean all && \ rm -rf /var/cache/yum +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic +COPY --chmod=755 dashboards/scripts/docker_entrypoint.sh /usr/local/bin/ ADD dashboards/opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/opensearch_dashboards.orig.yml -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ ADD dashboards/scripts/docker_entrypoint.sh /usr/local/bin/ -ADD scripts/malcolm_common.py /usr/local/bin/ +ADD scripts/malcolm_utils.py /usr/local/bin/ # Yeah, I know about https://opensearch.org/docs/latest/dashboards/branding ... but I can't figure out a way # to specify the entries in the opensearch_dashboards.yml such that they are valid BOTH from the @@ -150,7 +152,12 @@ ADD docs/images/favicon/favicon32.png /usr/share/opensearch-dashboards/src/core/ ADD docs/images/favicon/apple-touch-icon-precomposed.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/apple-touch-icon.png -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/docker_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "dashboards", \ + "/usr/local/bin/docker_entrypoint.sh"] CMD ["/usr/share/opensearch-dashboards/opensearch-dashboards-docker-entrypoint.sh"] diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index 193508398..a8cfb03ab 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -26,6 +26,8 @@ ARG ZEEK_LOG_DIRECTORY=/zeek/logs ARG EXTRACTED_FILE_IGNORE_EXISTING=false ARG EXTRACTED_FILE_PRESERVATION=quarantined ARG EXTRACTED_FILE_WATCHER_START_SLEEP=30 +ARG EXTRACTED_FILE_WATCHER_POLLING=false +ARG EXTRACTED_FILE_WATCHER_POLLING_ASSUME_CLOSED_SEC=10 ARG EXTRACTED_FILE_SCANNER_START_SLEEP=10 ARG EXTRACTED_FILE_LOGGER_START_SLEEP=5 ARG EXTRACTED_FILE_MIN_BYTES=64 @@ -34,8 +36,7 @@ ARG VTOT_API2_KEY=0 ARG VTOT_REQUESTS_PER_MINUTE=4 ARG EXTRACTED_FILE_ENABLE_CLAMAV=false ARG EXTRACTED_FILE_UPDATE_RULES=false -ARG EXTRACTED_FILE_PIPELINE_DEBUG=false -ARG EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA=false +ARG EXTRACTED_FILE_PIPELINE_VERBOSITY="" ARG CLAMD_SOCKET_FILE=/tmp/clamd.ctl ARG CLAMD_MAX_REQUESTS=8 ARG YARA_MAX_REQUESTS=8 @@ -55,6 +56,8 @@ ENV ZEEK_LOG_DIRECTORY $ZEEK_LOG_DIRECTORY ENV EXTRACTED_FILE_IGNORE_EXISTING $EXTRACTED_FILE_IGNORE_EXISTING ENV EXTRACTED_FILE_PRESERVATION $EXTRACTED_FILE_PRESERVATION ENV EXTRACTED_FILE_WATCHER_START_SLEEP $EXTRACTED_FILE_WATCHER_START_SLEEP +ENV EXTRACTED_FILE_WATCHER_POLLING $EXTRACTED_FILE_WATCHER_POLLING +ENV EXTRACTED_FILE_WATCHER_POLLING_ASSUME_CLOSED_SEC $EXTRACTED_FILE_WATCHER_POLLING_ASSUME_CLOSED_SEC ENV EXTRACTED_FILE_SCANNER_START_SLEEP $EXTRACTED_FILE_SCANNER_START_SLEEP ENV EXTRACTED_FILE_LOGGER_START_SLEEP $EXTRACTED_FILE_LOGGER_START_SLEEP ENV EXTRACTED_FILE_MIN_BYTES $EXTRACTED_FILE_MIN_BYTES @@ -63,8 +66,7 @@ ENV VTOT_API2_KEY $VTOT_API2_KEY ENV VTOT_REQUESTS_PER_MINUTE $VTOT_REQUESTS_PER_MINUTE ENV EXTRACTED_FILE_ENABLE_CLAMAV $EXTRACTED_FILE_ENABLE_CLAMAV ENV EXTRACTED_FILE_UPDATE_RULES $EXTRACTED_FILE_UPDATE_RULES -ENV EXTRACTED_FILE_PIPELINE_DEBUG $EXTRACTED_FILE_PIPELINE_DEBUG -ENV EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA $EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA +ENV EXTRACTED_FILE_PIPELINE_VERBOSITY $EXTRACTED_FILE_PIPELINE_VERBOSITY ENV CLAMD_SOCKET_FILE $CLAMD_SOCKET_FILE ENV CLAMD_MAX_REQUESTS $CLAMD_MAX_REQUESTS ENV YARA_MAX_REQUESTS $YARA_MAX_REQUESTS @@ -79,7 +81,7 @@ ENV YARA_VERSION "4.3.0" ENV YARA_URL "https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz" ENV YARA_RULES_SRC_DIR "/yara-rules-src" ENV YARA_RULES_DIR "/yara-rules" -ENV CAPA_VERSION "5.0.0" +ENV CAPA_VERSION "5.1.0" ENV CAPA_URL "https://github.com/fireeye/capa/releases/download/v${CAPA_VERSION}/capa-v${CAPA_VERSION}-linux.zip" ENV CAPA_DIR "/opt/capa" ENV CAPA_BIN "${CAPA_DIR}/capa" @@ -89,10 +91,10 @@ ENV EXTRACTED_FILE_HTTP_SERVER_ENCRYPT $EXTRACTED_FILE_HTTP_SERVER_ENCRYPT ENV EXTRACTED_FILE_HTTP_SERVER_KEY $EXTRACTED_FILE_HTTP_SERVER_KEY ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT -ENV SUPERCRONIC_VERSION "0.2.2" +ENV SUPERCRONIC_VERSION "0.2.24" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "2319da694833c7a147976b8e5f337cd83397d6be" +ENV SUPERCRONIC_SHA1SUM "6817299e04457e5d6ec4809c72ee13a43e95ba41" ENV SUPERCRONIC_CRONTAB "/etc/crontab" COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/ @@ -130,11 +132,10 @@ RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.l python3-bs4 \ python3-dev \ python3-pip \ - python3-pyinotify \ python3-requests \ python3-zmq \ rsync && \ - pip3 install clamd supervisor yara-python python-magic psutil pycryptodome && \ + pip3 install clamd supervisor yara-python python-magic psutil pycryptodome watchdog && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ @@ -201,8 +202,12 @@ RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.l ln -r -s /usr/local/bin/zeek_carve_scanner.py /usr/local/bin/capa_scan.py && \ echo "0 */6 * * * /bin/bash /usr/local/bin/capa-update.sh\n0 */6 * * * /usr/local/bin/yara_rules_setup.sh -r \"${YARA_RULES_SRC_DIR}\" -y \"${YARA_RULES_DIR}\"" > ${SUPERCRONIC_CRONTAB} -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic ADD shared/bin/zeek_carve*.py /usr/local/bin/ +ADD shared/bin/watch_common.py /usr/local/bin/ +ADD scripts/malcolm_utils.py /usr/local/bin/ ADD file-monitor/supervisord.conf /etc/supervisord.conf ADD file-monitor/docker-entrypoint.sh /docker-entrypoint.sh ADD file-monitor/*update.sh /usr/local/bin/ @@ -225,7 +230,12 @@ VOLUME ["$YARA_RULES_SRC_DIR"] EXPOSE 3310 EXPOSE $EXTRACTED_FILE_HTTP_SERVER_PORT -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/docker-entrypoint.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "file-monitor", \ + "/docker-entrypoint.sh"] CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index cdb40b217..5d0a8ddef 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -4,9 +4,6 @@ FROM debian:11-slim AS build ENV DEBIAN_FRONTEND noninteractive -ARG SITE_NAME="Capture File and Log Archive Upload" - -ENV SITE_NAME $SITE_NAME ENV JQUERY_FILE_UPLOAD_VERSION v9.19.1 ENV JQUERY_FILE_UPLOAD_URL "https://github.com/blueimp/jQuery-File-Upload/archive/${JQUERY_FILE_UPLOAD_VERSION}.tar.gz" @@ -52,6 +49,9 @@ ENV TERM xterm ARG PHP_VERSION=7.4 ENV PHP_VERSION $PHP_VERSION +ARG SITE_NAME="Capture File and Log Archive Upload" +ENV SITE_NAME $SITE_NAME + COPY --from=build /jQuery-File-Upload/ /var/www/upload/ RUN apt-get -q update && \ @@ -72,9 +72,11 @@ RUN apt-get -q update && \ apt-get clean -y -q && \ rm -rf /var/lib/apt/lists/* -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic +COPY --chmod=755 file-upload/docker-entrypoint.sh /docker-entrypoint.sh ADD docs/images/logo/Malcolm_banner.png /var/www/upload/Malcolm_banner.png -ADD file-upload/docker-entrypoint.sh /docker-entrypoint.sh ADD file-upload/jquery-file-upload/bootstrap.min.css /var/www/upload/bower_components/bootstrap/dist/css/bootstrap.min.css ADD file-upload/jquery-file-upload/index.html /var/www/upload/index.html ADD file-upload/jquery-file-upload/index.php /var/www/upload/server/php/index.php @@ -101,7 +103,12 @@ RUN mkdir -p /var/run/sshd /var/www/upload/server/php/chroot /run/php && \ VOLUME [ "/var/www/upload/server/php/chroot/files" ] EXPOSE 22 80 -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/docker-entrypoint.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "upload", \ + "/docker-entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf", "-u", "root", "-n"] diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index 3090e047e..f3bcd19d0 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -17,7 +17,7 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "filebeat" ENV PGROUP "filebeat" # not dropping privileges globally: supervisord will take care of it -# on a case-by-case basis so that one script (filebeat-watch-zeeklogs-uploads-folder.sh) +# on a case-by-case basis so that one script (filebeat-watch-zeeklogs-uploads-folder.py) # can chown uploaded files ENV PUSER_PRIV_DROP false @@ -37,6 +37,8 @@ ARG FILEBEAT_ZEEK_LOG_PATH="/zeek/current" ARG FILEBEAT_ZEEK_LOG_LIVE_PATH="/zeek/live" ARG FILEBEAT_SURICATA_LOG_PATH="/suricata" ARG FILEBEAT_NGINX_LOG_PATH="/nginx" +ARG FILEBEAT_WATCHER_POLLING=false +ARG FILEBEAT_WATCHER_POLLING_ASSUME_CLOSED_SEC=10 ARG LOG_CLEANUP_MINUTES=0 ARG ZIP_CLEANUP_MINUTES=0 ARG NGINX_LOG_ACCESS_AND_ERRORS=false @@ -57,10 +59,10 @@ ARG FILEBEAT_TCP_PARSE_TARGET_FIELD="" ARG FILEBEAT_TCP_PARSE_DROP_FIELD="" ARG FILEBEAT_TCP_TAG="_malcolm_beats" -ENV SUPERCRONIC_VERSION "0.2.2" +ENV SUPERCRONIC_VERSION "0.2.24" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "2319da694833c7a147976b8e5f337cd83397d6be" +ENV SUPERCRONIC_SHA1SUM "6817299e04457e5d6ec4809c72ee13a43e95ba41" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV TINI_VERSION v0.19.0 @@ -91,7 +93,7 @@ RUN apt-get -q update && \ unar \ unzip \ xz-utils && \ - python3 -m pip install patool entrypoint2 pyunpack python-magic ordered-set supervisor && \ + python3 -m pip install patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ @@ -102,12 +104,15 @@ RUN apt-get -q update && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic ADD filebeat/filebeat.yml /usr/share/filebeat/filebeat.yml ADD filebeat/filebeat-nginx.yml /usr/share/filebeat-nginx/filebeat-nginx.yml ADD filebeat/filebeat-tcp.yml /usr/share/filebeat-tcp/filebeat-tcp.yml ADD filebeat/scripts /usr/local/bin/ -ADD scripts/malcolm_common.py /usr/local/bin/ +ADD scripts/malcolm_utils.py /usr/local/bin/ +ADD shared/bin/watch_common.py /usr/local/bin/ ADD shared/bin/opensearch_status.sh /usr/local/bin/ ADD filebeat/supervisord.conf /etc/supervisord.conf RUN for INPUT in nginx tcp; do \ @@ -123,6 +128,8 @@ RUN for INPUT in nginx tcp; do \ ENV AUTO_TAG $AUTO_TAG ENV LOG_CLEANUP_MINUTES $LOG_CLEANUP_MINUTES ENV ZIP_CLEANUP_MINUTES $ZIP_CLEANUP_MINUTES +ENV FILEBEAT_WATCHER_POLLING $FILEBEAT_WATCHER_POLLING +ENV FILEBEAT_WATCHER_POLLING_ASSUME_CLOSED_SEC $FILEBEAT_WATCHER_POLLING_ASSUME_CLOSED_SEC ENV FILEBEAT_SCAN_FREQUENCY $FILEBEAT_SCAN_FREQUENCY ENV FILEBEAT_CLEAN_INACTIVE $FILEBEAT_CLEAN_INACTIVE ENV FILEBEAT_IGNORE_OLDER $FILEBEAT_IGNORE_OLDER @@ -157,7 +164,11 @@ ENV FILEBEAT_ZEEK_DIR "/zeek/" VOLUME ["/usr/share/filebeat/data", "/usr/share/filebeat-nginx/data", "/usr/share/filebeat-tcp/data"] -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "filebeat"] CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf", "-u", "root", "-n"] diff --git a/Dockerfiles/freq.Dockerfile b/Dockerfiles/freq.Dockerfile index d32d4c820..e11bdb862 100644 --- a/Dockerfiles/freq.Dockerfile +++ b/Dockerfiles/freq.Dockerfile @@ -21,11 +21,11 @@ ENV PUSER_PRIV_DROP true ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm -ARG FREQ_PORT=10004 +ARG FREQ_API_PORT=10004 ARG FREQ_LOOKUP=true -ENV FREQ_PORT $FREQ_PORT -ENV FREQ_LOOKUP $FREQ_LOOKUP +ENV FREQ_API_PORT $FREQ_API_PORT +ENV FREQ_LOOKUP $FREQ_LOOKUP ENV FREQ_URL "https://codeload.github.com/markbaggett/freq/tar.gz/master" @@ -55,14 +55,20 @@ RUN apt-get -q update && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic ADD freq-server/supervisord.conf /etc/supervisord.conf WORKDIR /opt/freq_server -EXPOSE $FREQ_PORT +EXPOSE $FREQ_API_PORT -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "freq"] CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] diff --git a/Dockerfiles/htadmin.Dockerfile b/Dockerfiles/htadmin.Dockerfile index 457929ae2..35c3728e9 100644 --- a/Dockerfiles/htadmin.Dockerfile +++ b/Dockerfiles/htadmin.Dockerfile @@ -61,11 +61,14 @@ RUN apt-get -q update && \ cd /tmp && \ mkdir -p ./htadmin && \ curl -sSL "$HTADMIN_URL" | tar xzvf - -C ./htadmin --strip-components 1 && \ + find /tmp/htadmin -type f -name index.php -execdir mv index.php htadmin.php \; && \ + find /tmp/htadmin -type f -exec sed -i 's/index.php/htadmin.php/g' "{}" \; && \ mv /tmp/htadmin/sites/html/htadmin /var/www/htadmin && \ cd /var/www/htadmin && \ ( grep -rhoPi "(src|href)=['\"]https?://.+?['\"]" ./includes/* | sed "s/^[a-zA-Z]*=['\"]*//" | sed "s/['\"]$//" | xargs -r -l curl -s -S -L -J -O ) && \ sed -i "s@http[^'\"]*/@@gI" ./includes/* && \ - mkdir fonts && cd fonts && \ + mkdir -p fonts config auth default && \ + cd fonts && \ curl -s -S -L -J -O "https://maxcdn.bootstrapcdn.com/bootstrap/$BOOTSTRAP_VERSION/fonts/glyphicons-halflings-regular.ttf" && \ curl -s -S -L -J -O "https://maxcdn.bootstrapcdn.com/bootstrap/$BOOTSTRAP_VERSION/fonts/glyphicons-halflings-regular.woff" && \ curl -s -S -L -J -O "https://maxcdn.bootstrapcdn.com/bootstrap/$BOOTSTRAP_VERSION/fonts/glyphicons-halflings-regular.woff2" && \ @@ -76,7 +79,9 @@ RUN apt-get -q update && \ apt-get clean -y -q && \ rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* /var/www/html -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic ADD docs/images/favicon/favicon.ico /var/www/htadmin/ ADD htadmin/supervisord.conf /supervisord.conf ADD htadmin/htadmin.sh /usr/local/bin/ @@ -86,7 +91,11 @@ ADD htadmin/nginx/sites-available/default /etc/nginx/sites-available/default EXPOSE 80 -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "htadmin"] CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf", "-u", "root", "-n"] diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 0d3fc882e..ac106cc33 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -16,6 +16,7 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "logstash" ENV PGROUP "logstash" ENV PUSER_PRIV_DROP true +ENV PUSER_RLIMIT_UNLOCK true ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -27,7 +28,6 @@ ARG LOGSTASH_PARSE_PIPELINE_ADDRESSES=zeek-parse,suricata-parse,beats-parse ARG LOGSTASH_OPENSEARCH_PIPELINE_ADDRESS_INTERNAL=internal-os ARG LOGSTASH_OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL=external-os ARG LOGSTASH_OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES=internal-os,external-os -ARG LOGSTASH_NETWORK_MAP_ENRICHMENT=true ARG LOGSTASH_NETBOX_ENRICHMENT=false ARG LOGSTASH_NETBOX_ENRICHMENT_VERBOSE=false ARG LOGSTASH_NETBOX_ENRICHMENT_LOOKUP_SERVICE=true @@ -37,7 +37,6 @@ ENV LOGSTASH_PARSE_PIPELINE_ADDRESSES $LOGSTASH_PARSE_PIPELINE_ADDRESSES ENV LOGSTASH_OPENSEARCH_PIPELINE_ADDRESS_INTERNAL $LOGSTASH_OPENSEARCH_PIPELINE_ADDRESS_INTERNAL ENV LOGSTASH_OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL $LOGSTASH_OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL ENV LOGSTASH_OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES $LOGSTASH_OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES -ENV LOGSTASH_NETWORK_MAP_ENRICHMENT $LOGSTASH_NETWORK_MAP_ENRICHMENT ENV LOGSTASH_NETBOX_ENRICHMENT $LOGSTASH_NETBOX_ENRICHMENT ENV LOGSTASH_NETBOX_ENRICHMENT_VERBOSE $LOGSTASH_NETBOX_ENRICHMENT_VERBOSE ENV LOGSTASH_NETBOX_ENRICHMENT_LOOKUP_SERVICE $LOGSTASH_NETBOX_ENRICHMENT_LOOKUP_SERVICE @@ -74,9 +73,12 @@ RUN set -x && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/bin/jruby \ /root/.cache /root/.gem /root/.bundle -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ -ADD shared/bin/manuf-oui-parse.py /usr/local/bin/ -ADD shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic +COPY --chmod=755 shared/bin/manuf-oui-parse.py /usr/local/bin/ +COPY --chmod=755 shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/keystore-bootstrap.sh /usr/local/bin/ ADD logstash/maps/*.yaml /etc/ ADD logstash/config/log4j2.properties /usr/share/logstash/config/ ADD logstash/config/logstash.yml /usr/share/logstash/config/logstash.orig.yml @@ -84,16 +86,20 @@ ADD logstash/pipelines/ /usr/share/logstash/malcolm-pipelines/ ADD logstash/patterns/ /usr/share/logstash/malcolm-patterns/ ADD logstash/ruby/ /usr/share/logstash/malcolm-ruby/ ADD logstash/scripts /usr/local/bin/ -ADD scripts/malcolm_common.py /usr/local/bin/ +ADD scripts/malcolm_utils.py /usr/local/bin/ ADD logstash/supervisord.conf /etc/supervisord.conf RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true" && \ usermod -a -G tty ${PUSER} && \ rm -f /usr/share/logstash/pipeline/logstash.conf && \ rmdir /usr/share/logstash/pipeline && \ - mkdir /logstash-persistent-queue && \ + mkdir -p /logstash-persistent-queue \ + /usr/share/logstash/config/bootstrap \ + /usr/share/logstash/config/persist && \ chown --silent -R ${PUSER}:root \ /usr/share/logstash/config/logstash*.yml \ + /usr/share/logstash/config/bootstrap \ + /usr/share/logstash/config/persist \ /usr/share/logstash/malcolm-pipelines \ /usr/share/logstash/malcolm-patterns \ /usr/share/logstash/malcolm-ruby \ @@ -118,7 +124,11 @@ EXPOSE 5044 EXPOSE 9001 EXPOSE 9600 -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "logstash"] CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] diff --git a/Dockerfiles/name-map-ui.Dockerfile b/Dockerfiles/name-map-ui.Dockerfile deleted file mode 100644 index fcc0a0a5a..000000000 --- a/Dockerfiles/name-map-ui.Dockerfile +++ /dev/null @@ -1,83 +0,0 @@ -FROM alpine:3.17 - -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. -LABEL maintainer="malcolm@inl.gov" -LABEL org.opencontainers.image.authors='malcolm@inl.gov' -LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' -LABEL org.opencontainers.image.documentation='https://github.com/idaholab/Malcolm/blob/main/README.md' -LABEL org.opencontainers.image.source='https://github.com/idaholab/Malcolm' -LABEL org.opencontainers.image.vendor='Idaho National Laboratory' -LABEL org.opencontainers.image.title='ghcr.io/idaholab/malcolm/name-map-ui' -LABEL org.opencontainers.image.description='Malcolm container providing a user interface for mapping names to network hosts and subnets' - -ARG DEFAULT_UID=1000 -ARG DEFAULT_GID=1000 -ENV DEFAULT_UID $DEFAULT_UID -ENV DEFAULT_GID $DEFAULT_GID -ENV PUSER "nginxsrv" -ENV PGROUP "nginxsrv" -ENV PUSER_PRIV_DROP true -ENV PUSER_CHOWN "/var/www/html;/var/lib/nginx;/var/log/nginx" - -ENV TERM xterm - -ENV JQUERY_VERSION 1.6.4 -ENV LISTJS_VERSION v1.5.0 - -RUN apk update --no-cache && \ - apk upgrade --no-cache && \ - apk --no-cache add bash php81 php81-fpm php81-mysqli php81-json php81-openssl php81-curl php81-fileinfo \ - php81-zlib php81-xml php81-phar php81-intl php81-dom php81-xmlreader php81-ctype php81-session \ - php81-mbstring php81-gd nginx supervisor curl inotify-tools file psmisc rsync shadow openssl tini - -COPY name-map-ui/config/nginx.conf /etc/nginx/nginx.conf -COPY name-map-ui/config/fpm-pool.conf /etc/php81/php-fpm.d/www.conf -COPY name-map-ui/config/php.ini /etc/php81/conf.d/custom.ini -COPY name-map-ui/config/supervisord.conf /etc/supervisord.conf -COPY name-map-ui/config/supervisor_logstash_ctl.conf /etc/supervisor/logstash/supervisord.conf -COPY name-map-ui/config/supervisor_netbox_ctl.conf /etc/supervisor/netbox/supervisord.conf -COPY name-map-ui/scripts/*.sh /usr/local/bin/ - -RUN curl -sSL -o /tmp/jquery.min.js "https://code.jquery.com/jquery-${JQUERY_VERSION}.min.js" && \ - curl -sSL -o /tmp/list.min.js "https://raw.githubusercontent.com/javve/list.js/${LISTJS_VERSION}/dist/list.min.js" && \ - rm -rf /etc/nginx/conf.d/default.conf /var/www/html/* && \ - mkdir -p /var/www/html/upload /var/www/html/maps && \ - cd /var/www/html && \ - mv /tmp/jquery.min.js /tmp/list.min.js ./ && \ - chmod 644 ./jquery.min.js ./list.min.js && \ - ln -s . name-map-ui && \ - addgroup -g ${DEFAULT_GID} ${PGROUP} ; \ - adduser -D -H -u ${DEFAULT_UID} -h /var/www/html -s /sbin/nologin -G ${PGROUP} -g ${PUSER} ${PUSER} ; \ - addgroup ${PUSER} nginx ; \ - addgroup ${PUSER} shadow ; \ - addgroup ${PUSER} tty ; \ - addgroup nginx tty ; \ - chown -R ${PUSER}:${PGROUP} /var/www/html && \ - chown -R ${PUSER}:${PGROUP} /var/lib/nginx && \ - chown -R ${PUSER}:${PGROUP} /var/log/nginx && \ - chmod 755 /usr/local/bin/*.sh - -VOLUME /var/www/html - -WORKDIR /var/www/html - -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ -COPY name-map-ui/site/ /var/www/html/ -COPY docs/images/logo/Malcolm_banner.png /var/www/html/ -COPY docs/images/favicon/favicon.ico /var/www/html/ - -EXPOSE 8080 - -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] - -CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] - - -# to be populated at build-time: -ARG BUILD_DATE -ARG MALCOLM_VERSION -ARG VCS_REVISION - -LABEL org.opencontainers.image.created=$BUILD_DATE -LABEL org.opencontainers.image.version=$MALCOLM_VERSION -LABEL org.opencontainers.image.revision=$VCS_REVISION diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index 8e1a369a9..a546542aa 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -22,10 +22,10 @@ ENV PUSER "boxer" ENV PGROUP "boxer" ENV PUSER_PRIV_DROP true -ENV SUPERCRONIC_VERSION "0.2.2" +ENV SUPERCRONIC_VERSION "0.2.24" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "2319da694833c7a147976b8e5f337cd83397d6be" +ENV SUPERCRONIC_SHA1SUM "6817299e04457e5d6ec4809c72ee13a43e95ba41" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV NETBOX_DEVICETYPE_LIBRARY_URL "https://codeload.github.com/netbox-community/devicetype-library/tar.gz/master" @@ -77,14 +77,19 @@ RUN apt-get -q update && \ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic COPY --chmod=755 netbox/scripts/* /usr/local/bin/ COPY --chmod=644 netbox/supervisord.conf /etc/supervisord.conf COPY --chmod=644 netbox/*-defaults.json /etc/ -COPY --from=pierrezemb/gostatic --chmod=755 /goStatic /usr/bin/goStatic +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic EXPOSE 9001 -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/service_check_passthrough.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "netbox"] CMD ["/opt/netbox/docker-entrypoint.sh", "/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile index b78d3bf4d..761ef04b9 100644 --- a/Dockerfiles/nginx.Dockerfile +++ b/Dockerfiles/nginx.Dockerfile @@ -87,10 +87,12 @@ ENV NGINX_LDAP_TLS_STUNNEL_CHECK_IP $NGINX_LDAP_TLS_STUNNEL_CHECK_IP ENV NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL $NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL # build latest nginx with nginx-auth-ldap -ENV NGINX_VERSION=1.20.2 +ENV NGINX_VERSION=1.22.1 ENV NGINX_AUTH_LDAP_BRANCH=master +ENV NGINX_HTTP_SUB_FILTER_BRANCH=master ADD https://codeload.github.com/mmguero-dev/nginx-auth-ldap/tar.gz/$NGINX_AUTH_LDAP_BRANCH /nginx-auth-ldap.tar.gz +ADD https://codeload.github.com/yaoweibin/ngx_http_substitutions_filter_module/tar.gz/$NGINX_HTTP_SUB_FILTER_BRANCH /ngx_http_substitutions_filter_module-master.tar.gz ADD http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz /nginx.tar.gz RUN set -x ; \ @@ -140,6 +142,7 @@ RUN set -x ; \ --with-file-aio \ --with-http_v2_module \ --add-module=/usr/src/nginx-auth-ldap \ + --add-module=/usr/src/ngx_http_substitutions_filter_module \ " ; \ apk update --no-cache; \ apk upgrade --no-cache; \ @@ -166,9 +169,10 @@ RUN set -x ; \ zlib-dev \ ; \ \ - mkdir -p /usr/src/nginx-auth-ldap /www /www/logs/nginx ; \ + mkdir -p /usr/src/nginx-auth-ldap /usr/src/ngx_http_substitutions_filter_module /www /www/logs/nginx /var/log/nginx ; \ tar -zxC /usr/src -f /nginx.tar.gz ; \ tar -zxC /usr/src/nginx-auth-ldap --strip=1 -f /nginx-auth-ldap.tar.gz ; \ + tar -zxC /usr/src/ngx_http_substitutions_filter_module --strip=1 -f /ngx_http_substitutions_filter_module-master.tar.gz ; \ cd /usr/src/nginx-$NGINX_VERSION ; \ ./configure $CONFIG --with-debug ; \ make -j$(getconf _NPROCESSORS_ONLN) ; \ @@ -182,8 +186,7 @@ RUN set -x ; \ make -j$(getconf _NPROCESSORS_ONLN) ; \ make install ; \ rm -rf /etc/nginx/html/ ; \ - mkdir -p /etc/nginx/conf.d/ ; \ - mkdir -p /usr/share/nginx/html/ ; \ + mkdir -p /etc/nginx/conf.d/ /etc/nginx/auth/ /usr/share/nginx/html/ ; \ install -m644 html/index.html /usr/share/nginx/html/ ; \ install -m644 html/50x.html /usr/share/nginx/html/ ; \ install -m755 objs/nginx-debug /usr/sbin/nginx-debug ; \ @@ -216,7 +219,7 @@ RUN set -x ; \ apk del .nginx-build-deps ; \ apk del .gettext ; \ mv /tmp/envsubst /usr/local/bin/ ; \ - rm -rf /usr/src/* /var/tmp/* /var/cache/apk/* /nginx.tar.gz /nginx-auth-ldap.tar.gz; \ + rm -rf /usr/src/* /var/tmp/* /var/cache/apk/* /nginx.tar.gz /nginx-auth-ldap.tar.gz /ngx_http_substitutions_filter_module-master.tar.gz; \ touch /etc/nginx/nginx_ldap.conf /etc/nginx/nginx_blank.conf; COPY --from=jwilder/nginx-proxy:alpine /app/nginx.tmpl /etc/nginx/ @@ -224,7 +227,7 @@ COPY --from=jwilder/nginx-proxy:alpine /etc/nginx/network_internal.conf /etc/ngi COPY --from=jwilder/nginx-proxy:alpine /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/ COPY --from=docbuild /site/_site /usr/share/nginx/html/readme -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ ADD nginx/scripts /usr/local/bin/ ADD nginx/*.conf /etc/nginx/ ADD nginx/supervisord.conf /etc/ @@ -233,7 +236,10 @@ ADD docs/images/icon/favicon.ico /usr/share/nginx/html/favicon.ico VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam"] -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/docker_entrypoint.sh"] +ENTRYPOINT ["/sbin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/docker_entrypoint.sh"] CMD ["supervisord", "-c", "/etc/supervisord.conf", "-u", "root", "-n"] diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile index 2caa74faf..a65b0a1c5 100644 --- a/Dockerfiles/opensearch.Dockerfile +++ b/Dockerfiles/opensearch.Dockerfile @@ -18,6 +18,7 @@ ENV PUID $DEFAULT_UID ENV PUSER "opensearch" ENV PGROUP "opensearch" ENV PUSER_PRIV_DROP true +ENV PUSER_RLIMIT_UNLOCK true ENV TERM xterm @@ -26,7 +27,7 @@ ENV TINI_VERSION v0.19.0 ARG OPENSEARCH_LOCAL=true ENV OPENSEARCH_LOCAL $OPENSEARCH_LOCAL -ARG MALCOLM_API_URL="http://api:5000/event" +ARG MALCOLM_API_URL="http://api:5000/mapi/event" ENV MALCOLM_API_URL $MALCOLM_API_URL ARG DISABLE_INSTALL_DEMO_CONFIG=true @@ -48,20 +49,41 @@ RUN yum install -y openssl util-linux procps rsync && \ echo -e 'cluster.name: "docker-cluster"\nnetwork.host: 0.0.0.0\nbootstrap.memory_lock: true\nhttp.cors.enabled: true\nhttp.cors.allow-origin: "*"\nhttp.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE\nhttp.cors.allow-headers: "kbn-version, Origin, X-Requested-With, Content-Type, Accept, Engaged-Auth-Token Authorization"' > /usr/share/opensearch/config/opensearch.yml && \ sed -i "s/#[[:space:]]*\([0-9]*-[0-9]*:-XX:-\(UseConcMarkSweepGC\|UseCMSInitiatingOccupancyOnly\)\)/\1/" /usr/share/opensearch/config/jvm.options && \ sed -i "s/^[0-9][0-9]*\(-:-XX:\(+UseG1GC\|G1ReservePercent\|InitiatingHeapOccupancyPercent\)\)/$($OPENSEARCH_JAVA_HOME/bin/java -version 2>&1 | grep version | awk '{print $3}' | tr -d '\"' | cut -d. -f1)\1/" /usr/share/opensearch/config/jvm.options && \ - mkdir -p /var/local/ca-trust && \ - chown -R $PUSER:$PGROUP /usr/share/opensearch/config/opensearch.yml /var/local/ca-trust && \ + mkdir -p /var/local/ca-trust \ + /opt/opensearch/backup \ + /usr/share/opensearch/config/bootstrap \ + /usr/share/opensearch/config/persist && \ + chown -R $PUSER:$PGROUP /usr/share/opensearch/config/opensearch.yml \ + /var/local/ca-trust \ + /opt/opensearch/backup \ + /usr/share/opensearch/config/bootstrap \ + /usr/share/opensearch/config/persist && \ chmod +x /usr/bin/tini && \ - sed -i '/^[[:space:]]*runOpensearch.*/i /usr/local/bin/jdk-cacerts-auto-import.sh || true' /usr/share/opensearch/opensearch-docker-entrypoint.sh - - -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ -ADD shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/ -COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/docker-entrypoint.sh -COPY --from=pierrezemb/gostatic --chmod=755 /goStatic /usr/bin/goStatic + sed -i '/^[[:space:]]*runOpensearch.*/i /usr/local/bin/jdk-cacerts-auto-import.sh || true' /usr/share/opensearch/opensearch-docker-entrypoint.sh && \ + sed -i '/^[[:space:]]*runOpensearch.*/i /usr/local/bin/keystore-bootstrap.sh || true' /usr/share/opensearch/opensearch-docker-entrypoint.sh + +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/keystore-bootstrap.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic + +ENV bootstrap.memory_lock "true" +ENV cluster.routing.allocation.disk.threshold_enabled "false" +ENV cluster.routing.allocation.node_initial_primaries_recoveries 8 +ENV discovery.type "single-node" +ENV indices.query.bool.max_clause_count 4096 +ENV logger.level "WARN" +ENV MAX_LOCKED_MEMORY "unlimited" +ENV path.repo "/opt/opensearch/backup" VOLUME ["/var/local/ca-trust"] -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/docker-entrypoint.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "opensearch"] CMD ["/usr/share/opensearch/opensearch-docker-entrypoint.sh"] diff --git a/Dockerfiles/pcap-capture.Dockerfile b/Dockerfiles/pcap-capture.Dockerfile index 39ebea6b2..8254959cb 100644 --- a/Dockerfiles/pcap-capture.Dockerfile +++ b/Dockerfiles/pcap-capture.Dockerfile @@ -23,6 +23,7 @@ ENV PGROUP "pcap" # docker-uid-gid-setup.sh will cause them to be lost, so we need # a final check in supervisor.sh before startup ENV PUSER_PRIV_DROP false +ENV PUSER_RLIMIT_UNLOCK true ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -52,8 +53,10 @@ ENV PCAP_PATH $PCAP_PATH ENV PCAP_FILTER $PCAP_FILTER ENV PCAP_SNAPLEN $PCAP_SNAPLEN -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ -ADD shared/bin/nic-capture-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic +COPY --chmod=755 shared/bin/nic-capture-setup.sh /usr/local/bin/ ADD pcap-capture/supervisord.conf /etc/supervisord.conf ADD pcap-capture/scripts/*.sh /usr/local/bin/ ADD pcap-capture/templates/*.template /etc/supervisor.d/ @@ -89,7 +92,11 @@ RUN apt-get -q update && \ WORKDIR "$PCAP_PATH" -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "pcap-capture"] CMD ["/usr/local/bin/supervisor.sh"] diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile index af421681f..9410d2542 100644 --- a/Dockerfiles/pcap-monitor.Dockerfile +++ b/Dockerfiles/pcap-monitor.Dockerfile @@ -27,18 +27,20 @@ ENV TERM xterm ARG OPENSEARCH_URL="http://opensearch:9200" ARG OPENSEARCH_LOCAL=true ARG PCAP_PATH=/pcap -ARG PCAP_PIPELINE_DEBUG=false -ARG PCAP_PIPELINE_DEBUG_EXTRA=false +ARG PCAP_PIPELINE_VERBOSITY="" ARG PCAP_PIPELINE_IGNORE_PREEXISTING=false +ARG PCAP_PIPELINE_POLLING=false +ARG PCAP_PIPELINE_POLLING_ASSUME_CLOSED_SEC=10 ARG PCAP_NODE_NAME=malcolm ARG ZEEK_PATH=/zeek ENV OPENSEARCH_URL $OPENSEARCH_URL ENV OPENSEARCH_LOCAL $OPENSEARCH_LOCAL ENV PCAP_PATH $PCAP_PATH -ENV PCAP_PIPELINE_DEBUG $PCAP_PIPELINE_DEBUG -ENV PCAP_PIPELINE_DEBUG_EXTRA $PCAP_PIPELINE_DEBUG_EXTRA +ENV PCAP_PIPELINE_VERBOSITY $PCAP_PIPELINE_VERBOSITY ENV PCAP_PIPELINE_IGNORE_PREEXISTING $PCAP_PIPELINE_IGNORE_PREEXISTING +ENV PCAP_PIPELINE_POLLING $PCAP_PIPELINE_POLLING +ENV PCAP_PIPELINE_POLLING_ASSUME_CLOSED_SEC $PCAP_PIPELINE_POLLING_ASSUME_CLOSED_SEC ENV PCAP_NODE_NAME $PCAP_NODE_NAME ENV ZEEK_PATH $ZEEK_PATH @@ -60,20 +62,27 @@ RUN apt-get -q update && \ vim-tiny && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* && \ - pip3 install --no-cache-dir opensearch-py pyzmq pyinotify python-magic requests && \ + pip3 install --no-cache-dir opensearch-py pyzmq python-magic requests watchdog && \ groupadd --gid ${DEFAULT_GID} ${PGROUP} && \ useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER} -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic ADD pcap-monitor/supervisord.conf /etc/supervisord.conf ADD pcap-monitor/scripts/ /usr/local/bin/ ADD shared/bin/pcap_watcher.py /usr/local/bin/ ADD shared/bin/pcap_utils.py /usr/local/bin/ -ADD scripts/malcolm_common.py /usr/local/bin/ +ADD shared/bin/watch_common.py /usr/local/bin/ +ADD scripts/malcolm_utils.py /usr/local/bin/ EXPOSE 30441 -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "pcap-monitor"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-u", "root", "-n"] diff --git a/Dockerfiles/postgresql.Dockerfile b/Dockerfiles/postgresql.Dockerfile index 24e26eabf..ea4e14f69 100644 --- a/Dockerfiles/postgresql.Dockerfile +++ b/Dockerfiles/postgresql.Dockerfile @@ -23,7 +23,7 @@ ENV TERM xterm COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ -COPY --from=pierrezemb/gostatic --chmod=755 /goStatic /usr/bin/goStatic +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic RUN apk update --no-cache && \ apk upgrade --no-cache && \ @@ -40,7 +40,11 @@ RUN apk update --no-cache && \ USER root -ENTRYPOINT ["/sbin/tini", "--", "/usr/bin/docker-uid-gid-setup.sh", "/usr/local/bin/service_check_passthrough.sh"] +ENTRYPOINT ["/sbin/tini", \ + "--", \ + "/usr/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "netbox"] CMD ["/usr/bin/docker-entrypoint.sh", "postgres"] diff --git a/Dockerfiles/redis.Dockerfile b/Dockerfiles/redis.Dockerfile index 49088ca9a..a25c17c72 100644 --- a/Dockerfiles/redis.Dockerfile +++ b/Dockerfiles/redis.Dockerfile @@ -22,7 +22,7 @@ ENV TERM xterm COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ -COPY --from=pierrezemb/gostatic --chmod=755 /goStatic /usr/bin/goStatic +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic RUN apk update --no-cache && \ apk upgrade --no-cache && \ @@ -31,7 +31,11 @@ RUN apk update --no-cache && \ WORKDIR /home/${PUSER} -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/service_check_passthrough.sh"] +ENTRYPOINT ["/sbin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "netbox"] # to be populated at build-time: ARG BUILD_DATE diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile index 48f48c379..0d1303a91 100644 --- a/Dockerfiles/suricata.Dockerfile +++ b/Dockerfiles/suricata.Dockerfile @@ -26,14 +26,15 @@ ENV PGROUP "suricata" # docker-uid-gid-setup.sh will cause them to be lost, so we need # a final check in docker_entrypoint.sh before startup ENV PUSER_PRIV_DROP false +ENV PUSER_RLIMIT_UNLOCK true -ENV SUPERCRONIC_VERSION "0.2.2" +ENV SUPERCRONIC_VERSION "0.2.24" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "2319da694833c7a147976b8e5f337cd83397d6be" +ENV SUPERCRONIC_SHA1SUM "6817299e04457e5d6ec4809c72ee13a43e95ba41" ENV SUPERCRONIC_CRONTAB "/etc/crontab" -ENV YQ_VERSION "4.24.2" +ENV YQ_VERSION "4.33.3" ENV YQ_URL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64" ENV SURICATA_CONFIG_DIR /etc/suricata @@ -90,13 +91,17 @@ RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.l moreutils \ procps \ psmisc \ + python3-pip \ python3-ruamel.yaml \ + python3-setuptools \ + python3-wheel \ python3-zmq \ rsync \ supervisor \ vim-tiny \ tini \ zlib1g && \ + pip3 install --no-cache-dir watchdog && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ @@ -124,15 +129,17 @@ RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.l COPY --chmod=644 shared/bin/pcap_utils.py /usr/local/bin/ COPY --chmod=644 suricata/supervisord.conf /etc/supervisord.conf COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic COPY --chmod=755 shared/bin/nic-capture-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/pcap_processor.py /usr/local/bin/ +COPY --chmod=644 scripts/malcolm_utils.py /usr/local/bin/ COPY --chmod=755 shared/bin/suricata_config_populate.py /usr/local/bin/ COPY --chmod=755 suricata/scripts/docker_entrypoint.sh /usr/local/bin/ COPY --chmod=755 suricata/scripts/eve-clean-logs.sh /usr/local/bin/ COPY --chmod=755 suricata/scripts/suricata-update-rules.sh /usr/local/bin/ -ARG PCAP_PIPELINE_DEBUG=false -ARG PCAP_PIPELINE_DEBUG_EXTRA=false +ARG PCAP_PIPELINE_VERBOSITY="" ARG PCAP_MONITOR_HOST=pcap-monitor ARG AUTO_TAG=true ARG SURICATA_PCAP_PROCESSOR=true @@ -151,8 +158,7 @@ ARG PCAP_IFACE=lo ARG PCAP_IFACE_TWEAK=false ARG PCAP_FILTER= -ENV PCAP_PIPELINE_DEBUG $PCAP_PIPELINE_DEBUG -ENV PCAP_PIPELINE_DEBUG_EXTRA $PCAP_PIPELINE_DEBUG_EXTRA +ENV PCAP_PIPELINE_VERBOSITY $PCAP_PIPELINE_VERBOSITY ENV PCAP_MONITOR_HOST $PCAP_MONITOR_HOST ENV AUTO_TAG $AUTO_TAG ENV SURICATA_PCAP_PROCESSOR $SURICATA_PCAP_PROCESSOR @@ -180,6 +186,11 @@ VOLUME ["$SURICATA_RUN_DIR"] WORKDIR $SURICATA_RUN_DIR -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/docker_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "suricata", \ + "/usr/local/bin/docker_entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index b4dc385bf..a7294f7b0 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -28,18 +28,19 @@ ENV PGROUP "zeeker" # docker-uid-gid-setup.sh will cause them to be lost, so we need # a final check in docker_entrypoint.sh before startup ENV PUSER_PRIV_DROP false +ENV PUSER_RLIMIT_UNLOCK true # for download and install ARG ZEEK_LTS= -ARG ZEEK_VERSION=5.2.0-0 +ARG ZEEK_VERSION=5.2.1-0 ENV ZEEK_LTS $ZEEK_LTS ENV ZEEK_VERSION $ZEEK_VERSION -ENV SUPERCRONIC_VERSION "0.2.2" +ENV SUPERCRONIC_VERSION "0.2.24" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "2319da694833c7a147976b8e5f337cd83397d6be" +ENV SUPERCRONIC_SHA1SUM "6817299e04457e5d6ec4809c72ee13a43e95ba41" ENV SUPERCRONIC_CRONTAB "/etc/crontab" # for build @@ -149,9 +150,12 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/cache/*/* # add configuration and scripts -ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic ADD shared/bin/pcap_processor.py /usr/local/bin/ ADD shared/bin/pcap_utils.py /usr/local/bin/ +ADD scripts/malcolm_utils.py /usr/local/bin/ ADD shared/bin/zeek*threat*.py ${ZEEK_DIR}/bin/ ADD shared/pcaps /tmp/pcaps ADD zeek/supervisord.conf /etc/supervisord.conf @@ -187,7 +191,8 @@ RUN groupadd --gid ${DEFAULT_GID} ${PUSER} && \ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' "${ZEEK_DIR}"/bin/capstats && \ touch "${SUPERCRONIC_CRONTAB}" && \ chown -R ${DEFAULT_UID}:${DEFAULT_GID} "${ZEEK_DIR}"/share/zeek/site/intel "${SUPERCRONIC_CRONTAB}" && \ - ln -sfr /usr/local/bin/pcap_processor.py /usr/local/bin/pcap_zeek_processor.py + ln -sfr /usr/local/bin/pcap_processor.py /usr/local/bin/pcap_zeek_processor.py && \ + ln -sfr /usr/local/bin/malcolm_utils.py "${ZEEK_DIR}"/bin/malcolm_utils.py #Whether or not to auto-tag logs based on filename ARG AUTO_TAG=true @@ -204,8 +209,7 @@ ARG ZEEK_INTEL_REFRESH_THREADS=2 ARG ZEEK_INTEL_FEED_SINCE= ARG ZEEK_EXTRACTOR_MODE=none ARG ZEEK_EXTRACTOR_PATH=/zeek/extract_files -ARG PCAP_PIPELINE_DEBUG=false -ARG PCAP_PIPELINE_DEBUG_EXTRA=false +ARG PCAP_PIPELINE_VERBOSITY="" ARG PCAP_MONITOR_HOST=pcap-monitor ARG ZEEK_LIVE_CAPTURE=false ARG ZEEK_ROTATED_PCAP=false @@ -225,8 +229,7 @@ ENV ZEEK_INTEL_REFRESH_THREADS $ZEEK_INTEL_REFRESH_THREADS ENV ZEEK_INTEL_FEED_SINCE $ZEEK_INTEL_FEED_SINCE ENV ZEEK_EXTRACTOR_MODE $ZEEK_EXTRACTOR_MODE ENV ZEEK_EXTRACTOR_PATH $ZEEK_EXTRACTOR_PATH -ENV PCAP_PIPELINE_DEBUG $PCAP_PIPELINE_DEBUG -ENV PCAP_PIPELINE_DEBUG_EXTRA $PCAP_PIPELINE_DEBUG_EXTRA +ENV PCAP_PIPELINE_VERBOSITY $PCAP_PIPELINE_VERBOSITY ENV PCAP_MONITOR_HOST $PCAP_MONITOR_HOST ENV ZEEK_LIVE_CAPTURE $ZEEK_LIVE_CAPTURE ENV ZEEK_ROTATED_PCAP $ZEEK_ROTATED_PCAP @@ -252,6 +255,7 @@ ARG ZEEK_DISABLE_SPICY_STUN= ARG ZEEK_DISABLE_SPICY_TAILSCALE= ARG ZEEK_DISABLE_SPICY_TFTP= ARG ZEEK_DISABLE_SPICY_WIREGUARD= +ARG ZEEK_SYNCHROPHASOR_DETAILED= ENV ZEEK_DISABLE_HASH_ALL_FILES $ZEEK_DISABLE_HASH_ALL_FILES ENV ZEEK_DISABLE_LOG_PASSWORDS $ZEEK_DISABLE_LOG_PASSWORDS @@ -269,12 +273,18 @@ ENV ZEEK_DISABLE_SPICY_STUN $ZEEK_DISABLE_SPICY_STUN ENV ZEEK_DISABLE_SPICY_TAILSCALE $ZEEK_DISABLE_SPICY_TAILSCALE ENV ZEEK_DISABLE_SPICY_TFTP $ZEEK_DISABLE_SPICY_TFTP ENV ZEEK_DISABLE_SPICY_WIREGUARD $ZEEK_DISABLE_SPICY_WIREGUARD +ENV ZEEK_SYNCHROPHASOR_DETAILED $ZEEK_SYNCHROPHASOR_DETAILED ENV PUSER_CHOWN "$ZEEK_DIR" VOLUME ["${ZEEK_DIR}/share/zeek/site/intel"] -ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/docker_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/tini", \ + "--", \ + "/usr/local/bin/docker-uid-gid-setup.sh", \ + "/usr/local/bin/docker_entrypoint.sh", \ + "/usr/local/bin/service_check_passthrough.sh", \ + "-s", "zeek"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] diff --git a/_config.yml b/_config.yml index bfa1e1c42..f6d466466 100644 --- a/_config.yml +++ b/_config.yml @@ -55,7 +55,7 @@ exclude: - arkime - arkime-logs - arkime-raw - - auth.env + - config - dashboards - docker-compose-standalone.yml - docker-compose.yml @@ -75,7 +75,6 @@ exclude: - htadmin - logstash - malcolm-iso - - name-map-ui - net-map.json - netbox - nginx diff --git a/api/project/__init__.py b/api/project/__init__.py index df906f6f6..0036bbe9d 100644 --- a/api/project/__init__.py +++ b/api/project/__init__.py @@ -1,6 +1,6 @@ import dateparser import json -import malcolm_common +import malcolm_utils import opensearchpy import os import pytz @@ -161,7 +161,7 @@ opensearchLocal = (app.config["OPENSEARCH_LOCAL"] == "true") or (opensearchUrl == 'http://opensearch:9200') opensearchSslVerify = app.config["OPENSEARCH_SSL_CERTIFICATE_VERIFICATION"] == "true" opensearchCreds = ( - malcolm_common.ParseCurlFile(app.config["OPENSEARCH_CREDS_CONFIG_FILE"]) + malcolm_utils.ParseCurlFile(app.config["OPENSEARCH_CREDS_CONFIG_FILE"]) if (not opensearchLocal) else defaultdict(lambda: None) ) @@ -478,8 +478,15 @@ def bucketfield(fieldname, current_request, urls=None): ) -@app.route("/agg", defaults={'fieldname': 'event.provider'}, methods=['GET', 'POST']) -@app.route("/agg/", methods=['GET', 'POST']) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/agg", + defaults={'fieldname': 'event.provider'}, + methods=['GET', 'POST'], +) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/agg/", + methods=['GET', 'POST'], +) def aggregate(fieldname): """Returns the aggregated values and counts for a given field name, see bucketfield @@ -506,8 +513,15 @@ def aggregate(fieldname): ) -@app.route("/document", defaults={'index': app.config["ARKIME_INDEX_PATTERN"]}, methods=['GET', 'POST']) -@app.route("/document/", methods=['GET', 'POST']) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/document", + defaults={'index': app.config["ARKIME_INDEX_PATTERN"]}, + methods=['GET', 'POST'], +) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/document/", + methods=['GET', 'POST'], +) def document(index): """Returns the matching document(s) from the specified index @@ -541,9 +555,15 @@ def document(index): ) -@app.route("/index", methods=['GET']) -@app.route("/indexes", methods=['GET']) -@app.route("/indices", methods=['GET']) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/index", methods=['GET'] +) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/indexes", methods=['GET'] +) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/indices", methods=['GET'] +) def indices(): """Provide a list of indices in the OpenSearch data store @@ -564,7 +584,9 @@ def indices(): ) -@app.route("/fields", methods=['GET']) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/fields", methods=['GET'] +) def fields(): """Provide a list of fields Malcolm "knows about" merged from Arkime's field table, Malcolm's OpenSearch template for the sessions indices, and Kibana's field list @@ -684,8 +706,10 @@ def fields(): return jsonify(fields=fields, total=len(fields)) -@app.route("/", methods=['GET']) -@app.route("/version", methods=['GET']) +@app.route(f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/", methods=['GET']) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/version", methods=['GET'] +) def version(): """Provides version information about Malcolm and the underlying OpenSearch instance @@ -720,7 +744,9 @@ def version(): ) -@app.route("/ping", methods=['GET']) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/ping", methods=['GET'] +) def ping(): """Says 'pong' (for a simple health check) @@ -735,8 +761,12 @@ def ping(): return jsonify(ping="pong") -@app.route('/alert', methods=['POST']) -@app.route('/event', methods=['POST']) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/alert", methods=['POST'] +) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/event", methods=['POST'] +) def event(): """Webhook that accepts alert data (like that from the OpenSearch Alerting API) to be reindexed into OpenSearch as session records (e.g., arkime_sessions3-*) for viewing diff --git a/api/project/config.py b/api/project/config.py index 644495da6..5c79c0c9c 100644 --- a/api/project/config.py +++ b/api/project/config.py @@ -10,12 +10,15 @@ class Config(object): ARKIME_INDEX_TIME_FIELD = f"{os.getenv('ARKIME_INDEX_TIME_FIELD', 'firstPacket')}" BUILD_DATE = f"{os.getenv('BUILD_DATE', 'unknown')}" DASHBOARDS_URL = f"{os.getenv('DASHBOARDS_URL', 'http://dashboards:5601/dashboards')}" + MALCOLM_API_PREFIX = f"{os.getenv('MALCOLM_API_PREFIX', 'mapi')}" MALCOLM_API_DEBUG = f"{os.getenv('MALCOLM_API_DEBUG', 'false')}" MALCOLM_TEMPLATE = f"{os.getenv('MALCOLM_TEMPLATE', 'malcolm_template')}" MALCOLM_VERSION = f"{os.getenv('MALCOLM_VERSION', 'unknown')}" OPENSEARCH_URL = f"{os.getenv('OPENSEARCH_URL', 'http://opensearch:9200')}" OPENSEARCH_LOCAL = f"{os.getenv('OPENSEARCH_LOCAL', 'true')}" OPENSEARCH_SSL_CERTIFICATE_VERIFICATION = f"{os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', 'false')}" - OPENSEARCH_CREDS_CONFIG_FILE = f"{os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc')}" + OPENSEARCH_CREDS_CONFIG_FILE = ( + f"{os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/curlrc/.opensearch.primary.curlrc')}" + ) RESULT_SET_LIMIT = int(f"{os.getenv('RESULT_SET_LIMIT', '500')}") VCS_REVISION = f"{os.getenv('VCS_REVISION', 'unknown')}" diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 2a188cb4b..494779a1d 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -42,7 +42,7 @@ parseSMB=true parseQSValue=false supportSha256=false maxReqBody=64 -config.reqBodyOnlyUtf8=true +reqBodyOnlyUtf8=true smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP: parsersDir=/opt/arkime/parsers pluginsDir=/opt/arkime/plugins @@ -54,7 +54,6 @@ pcapWriteMethod=simple pcapWriteSize=262143 simpleCompression=zstd simpleZstdLevel=3 -dbBulkSize=300000 compressES=false maxESConns=30 maxESRequests=500 @@ -1770,7 +1769,6 @@ tls.server.ja3s=db:tls.server.ja3s;group:zeek_ssl;kind:termfield;friendly:JA3 Se tls.client.ja3_description=db:tls.client.ja3_description;group:zeek_ssl;kind:termfield;friendly:JA3 Client Fingerprint Lookup;help:JA3 Client Fingerprint Lookup tls.server.ja3s_description=db:tls.server.ja3s_description;group:zeek_ssl;kind:termfield;friendly:JA3 Server Fingerprint Lookup;help:JA3 Server Fingerprint Lookup - # stun.log and stun_nat.log # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek zeek.stun.trans_id=db:zeek.stun.trans_id;group:zeek_stun;kind:termfield;friendly:Transaction ID;help:Transaction ID @@ -1782,6 +1780,114 @@ zeek.stun_nat.wan_addr=db:zeek.stun_nat.wan_addr;group:zeek_stun;kind:termfield; zeek.stun_nat.wan_port=db:zeek.stun_nat.wan_port;group:zeek_stun;kind:integer;friendly:Mapped Port;help:Mapped Port zeek.stun_nat.lan_addr=db:zeek.stun_nat.lan_addr;group:zeek_stun;kind:termfield;friendly:NAT LAN Address;help:NAT LAN Address +# synchrophasor_cmd.log +# https://github.com/cisagov/icsnpp-synchrophasor +zeek.synchrophasor_cmd.command=db:zeek.synchrophasor_cmd.command;group:zeek_synchrophasor;kind:termfield;friendly:command;help:command +zeek.synchrophasor_cmd.extframe=db:zeek.synchrophasor_cmd.extframe;group:zeek_synchrophasor;kind:integer;friendly:extframe;help:extframe + +# synchrophasor_cfg.log +# https://github.com/cisagov/icsnpp-synchrophasor +zeek.synchrophasor_cfg.cont_idx=db:zeek.synchrophasor_cfg.cont_idx;group:zeek_synchrophasor;kind:integer;friendly:cont_idx;help:cont_idx +zeek.synchrophasor_cfg.pmu_count_expected=db:zeek.synchrophasor_cfg.pmu_count_expected;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_expected;help:pmu_count_expected +zeek.synchrophasor_cfg.pmu_count_actual=db:zeek.synchrophasor_cfg.pmu_count_actual;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_actual;help:pmu_count_actual +zeek.synchrophasor_cfg.cfg_frame_id=db:zeek.synchrophasor_cfg.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:cfg_frame_id;help:cfg_frame_id + +# synchrophasor_cfg_detail.log +# https://github.com/cisagov/icsnpp-synchrophasor +zeek.synchrophasor_cfg_detail.cfg_frame_id=db:zeek.synchrophasor_cfg_detail.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:cfg_frame_id;help:cfg_frame_id +zeek.synchrophasor_cfg_detail.pmu_idx=db:zeek.synchrophasor_cfg_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;friendly:pmu_idx;help:pmu_idx +zeek.synchrophasor_cfg_detail.svc_class=db:zeek.synchrophasor_cfg_detail.svc_class;group:zeek_synchrophasor;kind:termfield;friendly:svc_class;help:svc_class +zeek.synchrophasor_cfg_detail.station_name=db:zeek.synchrophasor_cfg_detail.station_name;group:zeek_synchrophasor;kind:termfield;friendly:station_name;help:station_name +zeek.synchrophasor_cfg_detail.data_source_id=db:zeek.synchrophasor_cfg_detail.data_source_id;group:zeek_synchrophasor;kind:integer;friendly:data_source_id;help:data_source_id +zeek.synchrophasor_cfg_detail.global_pmuid=db:zeek.synchrophasor_cfg_detail.global_pmuid;group:zeek_synchrophasor;kind:termfield;friendly:global_pmuid;help:global_pmuid +zeek.synchrophasor_cfg_detail.phasor_shape=db:zeek.synchrophasor_cfg_detail.phasor_shape;group:zeek_synchrophasor;kind:termfield;friendly:phasor_shape;help:phasor_shape +zeek.synchrophasor_cfg_detail.phasor_format=db:zeek.synchrophasor_cfg_detail.phasor_format;group:zeek_synchrophasor;kind:termfield;friendly:phasor_format;help:phasor_format +zeek.synchrophasor_cfg_detail.analog_format=db:zeek.synchrophasor_cfg_detail.analog_format;group:zeek_synchrophasor;kind:termfield;friendly:analog_format;help:analog_format +zeek.synchrophasor_cfg_detail.freq_format=db:zeek.synchrophasor_cfg_detail.freq_format;group:zeek_synchrophasor;kind:termfield;friendly:freq_format;help:freq_format +zeek.synchrophasor_cfg_detail.phnmr=db:zeek.synchrophasor_cfg_detail.phnmr;group:zeek_synchrophasor;kind:integer;friendly:phnmr;help:phnmr +zeek.synchrophasor_cfg_detail.annmr=db:zeek.synchrophasor_cfg_detail.annmr;group:zeek_synchrophasor;kind:integer;friendly:annmr;help:annmr +zeek.synchrophasor_cfg_detail.dgnmr=db:zeek.synchrophasor_cfg_detail.dgnmr;group:zeek_synchrophasor;kind:integer;friendly:dgnmr;help:dgnmr +zeek.synchrophasor_cfg_detail.phnam=db:zeek.synchrophasor_cfg_detail.phnam;group:zeek_synchrophasor;kind:termfield;friendly:phnam;help:phnam +zeek.synchrophasor_cfg_detail.annam=db:zeek.synchrophasor_cfg_detail.annam;group:zeek_synchrophasor;kind:termfield;friendly:annam;help:annam +zeek.synchrophasor_cfg_detail.dgnam=db:zeek.synchrophasor_cfg_detail.dgnam;group:zeek_synchrophasor;kind:termfield;friendly:dgnam;help:dgnam +zeek.synchrophasor_cfg_detail.phasor_conv_phunit=db:zeek.synchrophasor_cfg_detail.phasor_conv_phunit;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_phunit;help:phasor_conv_phunit +zeek.synchrophasor_cfg_detail.phasor_conv_phvalue=db:zeek.synchrophasor_cfg_detail.phasor_conv_phvalue;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_phvalue;help:phasor_conv_phvalue +zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_upsampled_interpolation;help:phasor_conv_upsampled_interpolation +zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_upsampled_extrapolation;help:phasor_conv_upsampled_extrapolation +zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_downsampled_reselection;help:phasor_conv_downsampled_reselection +zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_downsampled_fir_filter;help:phasor_conv_downsampled_fir_filter +zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_downsampled_no_fir_filter;help:phasor_conv_downsampled_no_fir_filter +zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling=db:zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_filtered_without_changing_sampling;help:phasor_conv_filtered_without_changing_sampling +zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_calibration_mag_adj;help:phasor_conv_calibration_mag_adj +zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_calibration_phas_adj;help:phasor_conv_calibration_phas_adj +zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_rotation_phase_adj;help:phasor_conv_rotation_phase_adj +zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val=db:zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_pseudo_phasor_val;help:phasor_conv_pseudo_phasor_val +zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl=db:zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_mod_appl;help:phasor_conv_mod_appl +zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_phasor_component;help:phasor_conv_phasor_component +zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_phasor_type;help:phasor_conv_phasor_type +zeek.synchrophasor_cfg_detail.phasor_conv_user_def=db:zeek.synchrophasor_cfg_detail.phasor_conv_user_def;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_user_def;help:phasor_conv_user_def +zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor=db:zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor;group:zeek_synchrophasor;kind:float;friendly:phasor_conv_scale_factor;help:phasor_conv_scale_factor +zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj;group:zeek_synchrophasor;kind:float;friendly:phasor_conv_angle_adj;help:phasor_conv_angle_adj +zeek.synchrophasor_cfg_detail.analog_conv_analog_flags=db:zeek.synchrophasor_cfg_detail.analog_conv_analog_flags;group:zeek_synchrophasor;kind:integer;friendly:analog_conv_analog_flags;help:analog_conv_analog_flags +zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling=db:zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling;group:zeek_synchrophasor;kind:integer;friendly:analog_conv_user_defined_scaling;help:analog_conv_user_defined_scaling +zeek.synchrophasor_cfg_detail.analog_conv_mag_scale=db:zeek.synchrophasor_cfg_detail.analog_conv_mag_scale;group:zeek_synchrophasor;kind:float;friendly:analog_conv_mag_scale;help:analog_conv_mag_scale +zeek.synchrophasor_cfg_detail.analog_conv_offset=db:zeek.synchrophasor_cfg_detail.analog_conv_offset;group:zeek_synchrophasor;kind:float;friendly:analog_conv_offset;help:analog_conv_offset +zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask;group:zeek_synchrophasor;kind:integer;friendly:digital_conv_normal_status_mask;help:digital_conv_normal_status_mask +zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask;group:zeek_synchrophasor;kind:integer;friendly:digital_conv_valid_inputs_mask;help:digital_conv_valid_inputs_mask +zeek.synchrophasor_cfg_detail.pmu_lat=db:zeek.synchrophasor_cfg_detail.pmu_lat;group:zeek_synchrophasor;kind:float;friendly:pmu_lat;help:pmu_lat +zeek.synchrophasor_cfg_detail.pmu_lon=db:zeek.synchrophasor_cfg_detail.pmu_lon;group:zeek_synchrophasor;kind:float;friendly:pmu_lon;help:pmu_lon +zeek.synchrophasor_cfg_detail.pmu_elev=db:zeek.synchrophasor_cfg_detail.pmu_elev;group:zeek_synchrophasor;kind:float;friendly:pmu_elev;help:pmu_elev +zeek.synchrophasor_cfg_detail.window=db:zeek.synchrophasor_cfg_detail.window;group:zeek_synchrophasor;kind:integer;friendly:window;help:window +zeek.synchrophasor_cfg_detail.group_delay=db:zeek.synchrophasor_cfg_detail.group_delay;group:zeek_synchrophasor;kind:integer;friendly:group_delay;help:group_delay +zeek.synchrophasor_cfg_detail.fnom=db:zeek.synchrophasor_cfg_detail.fnom;group:zeek_synchrophasor;kind:integer;friendly:fnom;help:fnom +zeek.synchrophasor_cfg_detail.cfgcnt=db:zeek.synchrophasor_cfg_detail.cfgcnt;group:zeek_synchrophasor;kind:integer;friendly:cfgcnt;help:cfgcnt + +# synchrophasor_data.log +# https://github.com/cisagov/icsnpp-synchrophasor +zeek.synchrophasor_data.pmu_count_expected=db:zeek.synchrophasor_data.pmu_count_expected;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_expected;help:pmu_count_expected +zeek.synchrophasor_data.pmu_count_actual=db:zeek.synchrophasor_data.pmu_count_actual;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_actual;help:pmu_count_actual +zeek.synchrophasor_data.data_frame_id=db:zeek.synchrophasor_data.data_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:data_frame_id;help:data_frame_id + +# synchrophasor_data_detail.log +# https://github.com/cisagov/icsnpp-synchrophasor +zeek.synchrophasor_data_detail.data_frame_id=db:zeek.synchrophasor_data_detail.data_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:data_frame_id;help:data_frame_id +zeek.synchrophasor_data_detail.pmu_idx=db:zeek.synchrophasor_data_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;friendly:pmu_idx;help:pmu_idx +zeek.synchrophasor_data_detail.trigger_reason=db:zeek.synchrophasor_data_detail.trigger_reason;group:zeek_synchrophasor;kind:integer;friendly:trigger_reason;help:trigger_reason +zeek.synchrophasor_data_detail.unlocked_time=db:zeek.synchrophasor_data_detail.unlocked_time;group:zeek_synchrophasor;kind:integer;friendly:unlocked_time;help:unlocked_time +zeek.synchrophasor_data_detail.pmu_time_quality=db:zeek.synchrophasor_data_detail.pmu_time_quality;group:zeek_synchrophasor;kind:integer;friendly:pmu_time_quality;help:pmu_time_quality +zeek.synchrophasor_data_detail.data_modified=db:zeek.synchrophasor_data_detail.data_modified;group:zeek_synchrophasor;kind:termfield;friendly:data_modified;help:data_modified +zeek.synchrophasor_data_detail.config_change=db:zeek.synchrophasor_data_detail.config_change;group:zeek_synchrophasor;kind:termfield;friendly:config_change;help:config_change +zeek.synchrophasor_data_detail.pmu_trigger_pickup=db:zeek.synchrophasor_data_detail.pmu_trigger_pickup;group:zeek_synchrophasor;kind:termfield;friendly:pmu_trigger_pickup;help:pmu_trigger_pickup +zeek.synchrophasor_data_detail.data_sorting_type=db:zeek.synchrophasor_data_detail.data_sorting_type;group:zeek_synchrophasor;kind:termfield;friendly:data_sorting_type;help:data_sorting_type +zeek.synchrophasor_data_detail.pmu_sync_error=db:zeek.synchrophasor_data_detail.pmu_sync_error;group:zeek_synchrophasor;kind:termfield;friendly:pmu_sync_error;help:pmu_sync_error +zeek.synchrophasor_data_detail.data_error_indicator=db:zeek.synchrophasor_data_detail.data_error_indicator;group:zeek_synchrophasor;kind:integer;friendly:data_error_indicator;help:data_error_indicator +zeek.synchrophasor_data_detail.est_rectangular_real=db:zeek.synchrophasor_data_detail.est_rectangular_real;group:zeek_synchrophasor;kind:float;friendly:est_rectangular_real;help:est_rectangular_real +zeek.synchrophasor_data_detail.est_rectangular_imaginary=db:zeek.synchrophasor_data_detail.est_rectangular_imaginary;group:zeek_synchrophasor;kind:float;friendly:est_rectangular_imaginary;help:est_rectangular_imaginary +zeek.synchrophasor_data_detail.est_polar_magnitude=db:zeek.synchrophasor_data_detail.est_polar_magnitude;group:zeek_synchrophasor;kind:float;friendly:est_polar_magnitude;help:est_polar_magnitude +zeek.synchrophasor_data_detail.est_polar_angle=db:zeek.synchrophasor_data_detail.est_polar_angle;group:zeek_synchrophasor;kind:float;friendly:est_polar_angle;help:est_polar_angle +zeek.synchrophasor_data_detail.freq_dev_mhz=db:zeek.synchrophasor_data_detail.freq_dev_mhz;group:zeek_synchrophasor;kind:float;friendly:freq_dev_mhz;help:freq_dev_mhz +zeek.synchrophasor_data_detail.rocof=db:zeek.synchrophasor_data_detail.rocof;group:zeek_synchrophasor;kind:float;friendly:rocof;help:rocof +zeek.synchrophasor_data_detail.analog_data=db:zeek.synchrophasor_data_detail.analog_data;group:zeek_synchrophasor;kind:float;friendly:analog_data;help:analog_data +zeek.synchrophasor_data_detail.digital=db:zeek.synchrophasor_data_detail.digital;group:zeek_synchrophasor;kind:integer;friendly:digital;help:digital + +# synchrophasor_hdr.log +# https://github.com/cisagov/icsnpp-synchrophasor +zeek.synchrophasor_hdr.data=db:zeek.synchrophasor_hdr.data;group:zeek_synchrophasor;kind:termfield;friendly:data;help:data + +# synchrophasor.log +# https://github.com/cisagov/icsnpp-synchrophasor +zeek.synchrophasor.version=db:zeek.synchrophasor.version;group:zeek_synchrophasor;kind:termfield;friendly:version;help:version +zeek.synchrophasor.data_stream_id=db:zeek.synchrophasor.data_stream_id;group:zeek_synchrophasor;kind:termfield;friendly:data_stream_id;help:data_stream_id +zeek.synchrophasor.history=db:zeek.synchrophasor.history;group:zeek_synchrophasor;kind:termfield;friendly:history;help:history +zeek.synchrophasor.frame_size_min=db:zeek.synchrophasor.frame_size_min;group:zeek_synchrophasor;kind:integer;friendly:frame_size_min;help:frame_size_min +zeek.synchrophasor.frame_size_max=db:zeek.synchrophasor.frame_size_max;group:zeek_synchrophasor;kind:integer;friendly:frame_size_max;help:frame_size_max +zeek.synchrophasor.frame_size_tot=db:zeek.synchrophasor.frame_size_tot;group:zeek_synchrophasor;kind:integer;friendly:frame_size_tot;help:frame_size_tot +zeek.synchrophasor.data_frame_count=db:zeek.synchrophasor.data_frame_count;group:zeek_synchrophasor;kind:integer;friendly:data_frame_count;help:data_frame_count +zeek.synchrophasor.data_rate=db:zeek.synchrophasor.data_rate;group:zeek_synchrophasor;kind:termfield;friendly:data_rate;help:data_rate +zeek.synchrophasor.header_time_stamp=db:zeek.synchrophasor.header_time_stamp;group:zeek_synchrophasor;kind:termfield;friendly:header_time_stamp;help:header_time_stamp +zeek.synchrophasor.frame_type=db:zeek.synchrophasor.frame_type;group:zeek_synchrophasor;kind:termfield;friendly:frame_type;help:frame_type +zeek.synchrophasor.frame_size=db:zeek.synchrophasor.frame_size;group:zeek_synchrophasor;kind:integer;friendly:frame_size;help:frame_size + # syslog.log # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info zeek.syslog.facility=db:zeek.syslog.facility;group:zeek_syslog;kind:termfield;friendly:Facility;help:Facility @@ -2524,6 +2630,13 @@ o_zeek_ssh=require:zeek.ssh;title:Zeek ssh.log;fields:zeek.ssh.version,zeek.ssh. o_zeek_ssl=require:zeek.ssl;title:Zeek ssl.log;fields:zeek.ssl.ssl_version,zeek.ssl.ssl_history,zeek.ssl.sni_matches_cert,zeek.ssl.cipher,zeek.ssl.curve,zeek.ssl.server_name,zeek.ssl.resumed,zeek.ssl.last_alert,zeek.ssl.next_protocol,zeek.ssl.established,tls.client.ja3,tls.client.ja3_description,tls.server.ja3s,tls.server.ja3s_description,zeek.ssl.cert_chain_fuids,zeek.ssl.cert_chain_fps,zeek.ssl.client_cert_chain_fuids,zeek.ssl.client_cert_chain_fps,zeek.ssl.subject.CN,zeek.ssl.subject.C,zeek.ssl.subject.O,zeek.ssl.subject.OU,zeek.ssl.subject.ST,zeek.ssl.subject.SN,zeek.ssl.subject.L,zeek.ssl.subject.GN,zeek.ssl.subject.pseudonym,zeek.ssl.subject.serialNumber,zeek.ssl.subject.title,zeek.ssl.subject.initials,zeek.ssl.subject.emailAddress,zeek.ssl.subject.description,zeek.ssl.subject.postalCode,zeek.ssl.subject.street,zeek.ssl.client_subject.CN,zeek.ssl.client_subject.C,zeek.ssl.client_subject.O,zeek.ssl.client_subject.OU,zeek.ssl.client_subject.ST,zeek.ssl.client_subject.SN,zeek.ssl.client_subject.L,zeek.ssl.client_subject.GN,zeek.ssl.client_subject.pseudonym,zeek.ssl.client_subject.serialNumber,zeek.ssl.client_subject.title,zeek.ssl.client_subject.initials,zeek.ssl.client_subject.emailAddress,zeek.ssl.issuer.CN,zeek.ssl.issuer.C,zeek.ssl.issuer.O,zeek.ssl.issuer.OU,zeek.ssl.issuer.ST,zeek.ssl.issuer.SN,zeek.ssl.issuer.L,zeek.ssl.issuer.DC,zeek.ssl.issuer.GN,zeek.ssl.issuer.pseudonym,zeek.ssl.issuer.serialNumber,zeek.ssl.issuer.title,zeek.ssl.issuer.initials,zeek.ssl.issuer.emailAddress,zeek.ssl.client_issuer.CN,zeek.ssl.client_issuer.C,zeek.ssl.client_issuer.O,zeek.ssl.client_issuer.OU,zeek.ssl.client_issuer.ST,zeek.ssl.client_issuer.SN,zeek.ssl.client_issuer.L,zeek.ssl.client_issuer.DC,zeek.ssl.client_issuer.GN,zeek.ssl.client_issuer.pseudonym,zeek.ssl.client_issuer.serialNumber,zeek.ssl.client_issuer.title,zeek.ssl.client_issuer.initials,zeek.ssl.client_issuer.emailAddress,zeek.ssl.validation_status o_zeek_stun=require:zeek.stun;title:Zeek stun.log;fields:zeek.stun.trans_id,zeek.stun.method,zeek.stun.class,zeek.stun.attr_type,zeek.stun.attr_val o_zeek_stun_nat=require:zeek.stun_nat;title:Zeek stun_nat.log;fields:zeek.stun_nat.wan_addr,zeek.stun_nat.wan_port,zeek.stun_nat.lan_addr +o_zeek_synchrophasor=require:zeek.synchrophasor;title:Zeek synchrophasor.log;fields:zeek.synchrophasor.version,zeek.synchrophasor.header_time_stamp,zeek.synchrophasor.data_stream_id,zeek.synchrophasor.history,zeek.synchrophasor.frame_type,zeek.synchrophasor.frame_size,zeek.synchrophasor.frame_size_min,zeek.synchrophasor.frame_size_max,zeek.synchrophasor.frame_size_tot,zeek.synchrophasor.data_frame_count,zeek.synchrophasor.data_rate +o_zeek_synchrophasor_cmd=require:zeek.synchrophasor_cmd;title:Zeek synchrophasor_cmd.log;fields:zeek.synchrophasor_cmd.command,zeek.synchrophasor_cmd.extframe +o_zeek_synchrophasor_cfg=require:zeek.synchrophasor_cfg;title:Zeek synchrophasor_cfg.log;fields:zeek.synchrophasor_cfg.cont_idx,zeek.synchrophasor_cfg.pmu_count_expected,zeek.synchrophasor_cfg.pmu_count_actual,zeek.synchrophasor_cfg.cfg_frame_id +o_zeek_synchrophasor_cfg_detail=require:zeek.synchrophasor_cfg_detail;title:Zeek synchrophasor_cfg_detail.log;fields:zeek.synchrophasor_cfg_detail.cfg_frame_id,zeek.synchrophasor_cfg_detail.pmu_idx,zeek.synchrophasor_cfg_detail.svc_class,zeek.synchrophasor_cfg_detail.station_name,zeek.synchrophasor_cfg_detail.data_source_id,zeek.synchrophasor_cfg_detail.global_pmuid,zeek.synchrophasor_cfg_detail.phasor_shape,zeek.synchrophasor_cfg_detail.phasor_format,zeek.synchrophasor_cfg_detail.analog_format,zeek.synchrophasor_cfg_detail.freq_format,zeek.synchrophasor_cfg_detail.phnmr,zeek.synchrophasor_cfg_detail.annmr,zeek.synchrophasor_cfg_detail.dgnmr,zeek.synchrophasor_cfg_detail.phnam,zeek.synchrophasor_cfg_detail.annam,zeek.synchrophasor_cfg_detail.dgnam,zeek.synchrophasor_cfg_detail.phasor_conv_phunit,zeek.synchrophasor_cfg_detail.phasor_conv_phvalue,zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation,zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation,zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection,zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter,zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter,zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling,zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj,zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj,zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj,zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val,zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl,zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component,zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type,zeek.synchrophasor_cfg_detail.phasor_conv_user_def,zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor,zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj,zeek.synchrophasor_cfg_detail.analog_conv_analog_flags,zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling,zeek.synchrophasor_cfg_detail.analog_conv_mag_scale,zeek.synchrophasor_cfg_detail.analog_conv_offset,zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask,zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask,zeek.synchrophasor_cfg_detail.pmu_lat,zeek.synchrophasor_cfg_detail.pmu_lon,zeek.synchrophasor_cfg_detail.pmu_elev,zeek.synchrophasor_cfg_detail.window,zeek.synchrophasor_cfg_detail.group_delay,zeek.synchrophasor_cfg_detail.fnom,zeek.synchrophasor_cfg_detail.cfgcnt +o_zeek_synchrophasor_data=require:zeek.synchrophasor_data;title:Zeek synchrophasor_data.log;fields:zeek.synchrophasor_data.pmu_count_expected,zeek.synchrophasor_data.pmu_count_actual,zeek.synchrophasor_data.data_frame_id +o_zeek_synchrophasor_data_detail=require:zeek.synchrophasor_data_detail;title:Zeek synchrophasor_data_detail.log;fields:zeek.synchrophasor_data_detail.data_frame_id,zeek.synchrophasor_data_detail.pmu_idx,zeek.synchrophasor_data_detail.trigger_reason,zeek.synchrophasor_data_detail.unlocked_time,zeek.synchrophasor_data_detail.pmu_time_quality,zeek.synchrophasor_data_detail.data_modified,zeek.synchrophasor_data_detail.config_change,zeek.synchrophasor_data_detail.pmu_trigger_pickup,zeek.synchrophasor_data_detail.data_sorting_type,zeek.synchrophasor_data_detail.pmu_sync_error,zeek.synchrophasor_data_detail.data_error_indicator,zeek.synchrophasor_data_detail.est_rectangular_real,zeek.synchrophasor_data_detail.est_rectangular_imaginary,zeek.synchrophasor_data_detail.est_polar_magnitude,zeek.synchrophasor_data_detail.est_polar_angle,zeek.synchrophasor_data_detail.freq_dev_mhz,zeek.synchrophasor_data_detail.rocof,zeek.synchrophasor_data_detail.analog_data,zeek.synchrophasor_data_detail.digital +o_zeek_synchrophasor_hdr=require:zeek.synchrophasor_hdr;title:Zeek synchrophasor_hdr.log;fields:zeek.synchrophasor_hdr.data o_zeek_syslog=require:zeek.syslog;title:Zeek syslog.log;fields:zeek.syslog.facility,zeek.syslog.severity,zeek.syslog.message o_zeek_tds=require:zeek.tds;title:Zeek tds.log;fields:zeek.tds.command o_zeek_tds_rpc=require:zeek.tds_rpc;title:Zeek tds_rpc.log;fields:zeek.tds_rpc.procedure_name,zeek.tds_rpc.parameters diff --git a/arkime/scripts/arkime-needs-upgrade.sh b/arkime/scripts/arkime-needs-upgrade.sh index 446731ccd..29045af49 100755 --- a/arkime/scripts/arkime-needs-upgrade.sh +++ b/arkime/scripts/arkime-needs-upgrade.sh @@ -4,7 +4,7 @@ OPENSEARCH_URL=${OPENSEARCH_URL:-"http://opensearch:9200"} OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"} -OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"} +OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.primary.curlrc"} if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then CURL_CONFIG_PARAMS=( --config diff --git a/arkime/scripts/bs4_remove_div.py b/arkime/scripts/bs4_remove_div.py index dee992ec7..261fcc439 100755 --- a/arkime/scripts/bs4_remove_div.py +++ b/arkime/scripts/bs4_remove_div.py @@ -16,15 +16,12 @@ origPath = os.getcwd() ################################################################################################### -if not PY3: - if hasattr(__builtins__, 'raw_input'): - input = raw_input - try: FileNotFoundError except NameError: FileNotFoundError = IOError + ################################################################################################### # print to stderr def eprint(*args, **kwargs): diff --git a/arkime/scripts/docker_entrypoint.sh b/arkime/scripts/docker_entrypoint.sh index a43e8f3c0..a154c1a17 100755 --- a/arkime/scripts/docker_entrypoint.sh +++ b/arkime/scripts/docker_entrypoint.sh @@ -12,14 +12,14 @@ ARKIME_DIR=${ARKIME_DIR:-"/opt/arkime"} OPENSEARCH_URL_FINAL=${OPENSEARCH_URL:-"http://opensearch:9200"} OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"} -OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"} +OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.primary.curlrc"} if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then # need to build the opensearch URL (including username/password) by combining # OPENSEARCH_URL and parameters from OPENSEARCH_CREDS_CONFIG_FILE # get the new username/password from the curl file (I already wrote python code to do this, so sue me) pushd "$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" >/dev/null 2>&1 - NEW_USER_PASSWORD="$(python3 -c "import malcolm_common; result=malcolm_common.ParseCurlFile('$OPENSEARCH_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")" + NEW_USER_PASSWORD="$(python3 -c "import malcolm_utils; result=malcolm_utils.ParseCurlFile('$OPENSEARCH_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")" NEW_USER="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f1)" NEW_PASSWORD="$(urlencodeall "$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f2-)")" popd >/dev/null 2>&1 diff --git a/arkime/scripts/initarkime.sh b/arkime/scripts/initarkime.sh index 29f6c232c..86089a386 100755 --- a/arkime/scripts/initarkime.sh +++ b/arkime/scripts/initarkime.sh @@ -5,7 +5,7 @@ OPENSEARCH_URL=${OPENSEARCH_URL:-"http://opensearch:9200"} OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"} OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"} -OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"} +OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.primary.curlrc"} if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then CURL_CONFIG_PARAMS=( --config diff --git a/arkime/scripts/viewer_service.sh b/arkime/scripts/viewer_service.sh index d9ce81977..6c16aa932 100755 --- a/arkime/scripts/viewer_service.sh +++ b/arkime/scripts/viewer_service.sh @@ -5,8 +5,10 @@ while true; do if [[ -f /var/run/arkime/initialized && "$VIEWER" == "on" ]]; then echo "Launch viewer..." - cd $ARKIME_DIR/viewer + rm -f $ARKIME_DIR/logs/viewer* + pushd $ARKIME_DIR/viewer >/dev/null 2>&1 $ARKIME_DIR/bin/node viewer.js --insecure -c $ARKIME_DIR/etc/config.ini | tee -a $ARKIME_DIR/logs/viewer.log 2>&1 + popd >/dev/null 2>&1 fi sleep 5 done diff --git a/arkime/scripts/wise_service.sh b/arkime/scripts/wise_service.sh index 74d3deb7d..ff9e26b34 100755 --- a/arkime/scripts/wise_service.sh +++ b/arkime/scripts/wise_service.sh @@ -2,12 +2,12 @@ # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - while true; do if [[ ("$WISE" == "on") && (-f /var/run/arkime/runwise) && (-f $ARKIME_DIR/etc/wise.ini) ]]; then echo "Launch wise..." + rm -f $ARKIME_DIR/logs/wise* pushd $ARKIME_DIR/wiseService >/dev/null 2>&1 - $ARKIME_DIR/bin/node wiseService.js --insecure -c $ARKIME_DIR/etc/wise.ini + $ARKIME_DIR/bin/node wiseService.js --insecure -c $ARKIME_DIR/etc/wise.ini | tee -a $ARKIME_DIR/logs/wise.log 2>&1 popd >/dev/null 2>&1 fi sleep 5 diff --git a/arkime/supervisord.conf b/arkime/supervisord.conf index 7b54e623b..e86840b7d 100644 --- a/arkime/supervisord.conf +++ b/arkime/supervisord.conf @@ -50,9 +50,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:pcap-arkime] -command=python3 /opt/pcap_arkime_processor.py - --verbose "%(ENV_PCAP_PIPELINE_DEBUG)s" - --extra-verbose "%(ENV_PCAP_PIPELINE_DEBUG_EXTRA)s" +command=python3 /opt/pcap_arkime_processor.py %(ENV_PCAP_PIPELINE_VERBOSITY)s --start-sleep 10 --threads %(ENV_ARKIME_ANALYZE_PCAP_THREADS)s --publisher "%(ENV_PCAP_MONITOR_HOST)s" diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index 5468be9f2..14d0ac046 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -1985,6 +1985,93 @@ class MalcolmSource extends WISESource { "zeek.stun_nat.lan_addr", "zeek.stun_nat.wan_addr", "zeek.stun_nat.wan_port", + "zeek.synchrophasor.data_frame_count", + "zeek.synchrophasor.data_rate", + "zeek.synchrophasor.data_stream_id", + "zeek.synchrophasor.frame_size", + "zeek.synchrophasor.frame_size_max", + "zeek.synchrophasor.frame_size_min", + "zeek.synchrophasor.frame_size_tot", + "zeek.synchrophasor.frame_type", + "zeek.synchrophasor.header_time_stamp", + "zeek.synchrophasor.history", + "zeek.synchrophasor.version", + "zeek.synchrophasor_cfg.cfg_frame_id", + "zeek.synchrophasor_cfg.cont_idx", + "zeek.synchrophasor_cfg.pmu_count_actual", + "zeek.synchrophasor_cfg.pmu_count_expected", + "zeek.synchrophasor_cfg_detail.analog_conv_analog_flags", + "zeek.synchrophasor_cfg_detail.analog_conv_mag_scale", + "zeek.synchrophasor_cfg_detail.analog_conv_offset", + "zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling", + "zeek.synchrophasor_cfg_detail.analog_format", + "zeek.synchrophasor_cfg_detail.annam", + "zeek.synchrophasor_cfg_detail.annmr", + "zeek.synchrophasor_cfg_detail.cfg_frame_id", + "zeek.synchrophasor_cfg_detail.cfgcnt", + "zeek.synchrophasor_cfg_detail.data_source_id", + "zeek.synchrophasor_cfg_detail.dgnam", + "zeek.synchrophasor_cfg_detail.dgnmr", + "zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask", + "zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask", + "zeek.synchrophasor_cfg_detail.fnom", + "zeek.synchrophasor_cfg_detail.freq_format", + "zeek.synchrophasor_cfg_detail.global_pmuid", + "zeek.synchrophasor_cfg_detail.group_delay", + "zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj", + "zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj", + "zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj", + "zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter", + "zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter", + "zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection", + "zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling", + "zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl", + "zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component", + "zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type", + "zeek.synchrophasor_cfg_detail.phasor_conv_phunit", + "zeek.synchrophasor_cfg_detail.phasor_conv_phvalue", + "zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val", + "zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj", + "zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor", + "zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation", + "zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation", + "zeek.synchrophasor_cfg_detail.phasor_conv_user_def", + "zeek.synchrophasor_cfg_detail.phasor_format", + "zeek.synchrophasor_cfg_detail.phasor_shape", + "zeek.synchrophasor_cfg_detail.phnam", + "zeek.synchrophasor_cfg_detail.phnmr", + "zeek.synchrophasor_cfg_detail.pmu_elev", + "zeek.synchrophasor_cfg_detail.pmu_idx", + "zeek.synchrophasor_cfg_detail.pmu_lat", + "zeek.synchrophasor_cfg_detail.pmu_lon", + "zeek.synchrophasor_cfg_detail.station_name", + "zeek.synchrophasor_cfg_detail.svc_class", + "zeek.synchrophasor_cfg_detail.window", + "zeek.synchrophasor_cmd.command", + "zeek.synchrophasor_cmd.extframe", + "zeek.synchrophasor_data.data_frame_id", + "zeek.synchrophasor_data.pmu_count_actual", + "zeek.synchrophasor_data.pmu_count_expected", + "zeek.synchrophasor_data_detail.analog_data", + "zeek.synchrophasor_data_detail.config_change", + "zeek.synchrophasor_data_detail.data_error_indicator", + "zeek.synchrophasor_data_detail.data_frame_id", + "zeek.synchrophasor_data_detail.data_modified", + "zeek.synchrophasor_data_detail.data_sorting_type", + "zeek.synchrophasor_data_detail.digital", + "zeek.synchrophasor_data_detail.est_polar_angle", + "zeek.synchrophasor_data_detail.est_polar_magnitude", + "zeek.synchrophasor_data_detail.est_rectangular_imaginary", + "zeek.synchrophasor_data_detail.est_rectangular_real", + "zeek.synchrophasor_data_detail.freq_dev_mhz", + "zeek.synchrophasor_data_detail.pmu_idx", + "zeek.synchrophasor_data_detail.pmu_sync_error", + "zeek.synchrophasor_data_detail.pmu_time_quality", + "zeek.synchrophasor_data_detail.pmu_trigger_pickup", + "zeek.synchrophasor_data_detail.rocof", + "zeek.synchrophasor_data_detail.trigger_reason", + "zeek.synchrophasor_data_detail.unlocked_time", + "zeek.synchrophasor_hdr.data", "zeek.syslog.facility", "zeek.syslog.message", "zeek.syslog.severity", diff --git a/config/.gitignore b/config/.gitignore new file mode 100644 index 000000000..03bd4129b --- /dev/null +++ b/config/.gitignore @@ -0,0 +1 @@ +*.env diff --git a/config/arkime-secret.env.example b/config/arkime-secret.env.example new file mode 100644 index 000000000..7718ec2ec --- /dev/null +++ b/config/arkime-secret.env.example @@ -0,0 +1,4 @@ +# MaxMind GeoIP database update API key (see +# https://support.maxmind.com/hc/en-us/articles/4407116112539-Using-License-Keys) +MAXMIND_GEOIP_DB_LICENSE_KEY=0 +K8S_SECRET=True \ No newline at end of file diff --git a/config/arkime.env.example b/config/arkime.env.example new file mode 100644 index 000000000..183e970e3 --- /dev/null +++ b/config/arkime.env.example @@ -0,0 +1,7 @@ +# Whether or not Arkime is allowed to delete uploaded/captured PCAP (see +# https://arkime.com/faq#pcap-deletion) +MANAGE_PCAP_FILES=false +# The number of Arkime capture processes allowed to run concurrently +ARKIME_ANALYZE_PCAP_THREADS=1 + +OPENSEARCH_MAX_SHARDS_PER_NODE=2500 \ No newline at end of file diff --git a/config/auth-common.env.example b/config/auth-common.env.example new file mode 100644 index 000000000..0251d796f --- /dev/null +++ b/config/auth-common.env.example @@ -0,0 +1,13 @@ +# authentication method: encrypted HTTP basic authentication ('true') vs LDAP ('false') +NGINX_BASIC_AUTH=true +# NGINX LDAP (NGINX_BASIC_AUTH=false) can support LDAP, LDAPS, or LDAP+StartTLS. +# For StartTLS, set NGINX_LDAP_TLS_STUNNEL=true to issue the StartTLS command +# and use stunnel to tunnel the connection. +NGINX_LDAP_TLS_STUNNEL=false +# stunnel will require and verify certificates for StartTLS when one or more +# trusted CA certificate files are placed in the ./nginx/ca-trust directory. +# For additional security, hostname or IP address checking of the associated +# CA certificate(s) can be enabled by providing these values. +NGINX_LDAP_TLS_STUNNEL_CHECK_HOST= +NGINX_LDAP_TLS_STUNNEL_CHECK_IP= +NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL=2 \ No newline at end of file diff --git a/config/auth.env.example b/config/auth.env.example new file mode 100644 index 000000000..6ffb97a65 --- /dev/null +++ b/config/auth.env.example @@ -0,0 +1,4 @@ +# Malcolm Administrator username and encrypted password for nginx reverse proxy (and upload server's SFTP access) +MALCOLM_USERNAME=admin +MALCOLM_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX== +K8S_SECRET=True \ No newline at end of file diff --git a/config/beats-common.env.example b/config/beats-common.env.example new file mode 100644 index 000000000..2158d7502 --- /dev/null +++ b/config/beats-common.env.example @@ -0,0 +1,3 @@ +# Whether or not Logstash will use require encrypted communications for any external +# Beats-based forwarders from which it will accept logs +BEATS_SSL=true diff --git a/config/dashboards-helper.env.example b/config/dashboards-helper.env.example new file mode 100644 index 000000000..75873108e --- /dev/null +++ b/config/dashboards-helper.env.example @@ -0,0 +1,12 @@ +# Whether or not to set OpenSearch Dashboards to dark mode +DASHBOARDS_DARKMODE=true +# The maximum cumulative size of OpenSearch indices containing network traffic metadata +# (arkime_sessions3-*) before which the oldest indices will be deleted ('' to disable +# storage-based index pruning). +OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT=0 +# Whether to determine the "oldest" indices for storage-based index pruning by creation +# date/time ('true') or index name ('false') +OPENSEARCH_INDEX_SIZE_PRUNE_NAME_SORT=false +# Parameters for the OpenSearch repository used for index snapshots +ISM_SNAPSHOT_COMPRESSED=false +ISM_SNAPSHOT_REPO=logs diff --git a/config/filebeat.env.example b/config/filebeat.env.example new file mode 100644 index 000000000..3091946ef --- /dev/null +++ b/config/filebeat.env.example @@ -0,0 +1,30 @@ +# filebeat parameters used for monitoring log files containing network traffic metadata +# (see https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html) +FILEBEAT_SCAN_FREQUENCY=10s +FILEBEAT_CLEAN_INACTIVE=180m +FILEBEAT_IGNORE_OLDER=120m +FILEBEAT_CLOSE_INACTIVE=120s +FILEBEAT_CLOSE_INACTIVE_LIVE=90m +FILEBEAT_CLOSE_RENAMED=true +FILEBEAT_CLOSE_REMOVED=true +FILEBEAT_CLOSE_EOF=true +FILEBEAT_CLEAN_REMOVED=true +# Whether or not to use polling vs. native inotify API to watch for files +FILEBEAT_WATCHER_POLLING=false +# When polling, seconds of inactivity to assume a file is closed and ready for processing +FILEBEAT_WATCHER_POLLING_ASSUME_CLOSED_SEC=10 +# Whether or not to expose a filebeat TCP input listener (see +# https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) +FILEBEAT_TCP_LISTEN=false +# Log format expected for events sent to the filebeat TCP input listener ('json' or 'raw') +FILEBEAT_TCP_LOG_FORMAT=json +# Source field name to parse (when FILEBEAT_TCP_LOG_FORMAT is 'json') for events sent to the +# filebeat TCP input listener +FILEBEAT_TCP_PARSE_SOURCE_FIELD=message +# Target field name to store decoded JSON fields (when FILEBEAT_TCP_LOG_FORMAT is 'json') for +# events sent to the filebeat TCP input listener +FILEBEAT_TCP_PARSE_TARGET_FIELD=miscbeat +# Name of field to drop (if it exists) in events sent to the filebeat TCP input listener +FILEBEAT_TCP_PARSE_DROP_FIELD=message +# Tag to append to events sent to the filebeat TCP input listener +FILEBEAT_TCP_TAG=_malcolm_beats \ No newline at end of file diff --git a/config/logstash.env.example b/config/logstash.env.example new file mode 100644 index 000000000..f8aa43202 --- /dev/null +++ b/config/logstash.env.example @@ -0,0 +1,15 @@ +# Parameters for tuning Logstash pipelines (see +# https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html) +pipeline.workers=3 +pipeline.batch.size=75 +pipeline.batch.delay=50 +# Whether or not Logstash will map MAC addresses to vendors for MAC addresses +LOGSTASH_OUI_LOOKUP=true +# Whether or not Logstash will perform severity scoring on network traffic metadata +LOGSTASH_SEVERITY_SCORING=true +# Whether or not Logstash will perform a reverse DNS lookup for external IP addresses +LOGSTASH_REVERSE_DNS=false +# Whether or not Logstash will enrich network traffic metadata via NetBox API calls +LOGSTASH_NETBOX_ENRICHMENT=false +# Logstash memory allowance and other Java options +LS_JAVA_OPTS=-server -Xms2g -Xmx2g -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true \ No newline at end of file diff --git a/config/lookup-common.env.example b/config/lookup-common.env.example new file mode 100644 index 000000000..d31312cc5 --- /dev/null +++ b/config/lookup-common.env.example @@ -0,0 +1,16 @@ +# Whether or not domain names (from DNS queries and SSL server names) will be assigned entropy scores +# as calculated by freq +FREQ_LOOKUP=true +# When severity scoring is enabled, this variable indicates the entropy threshold for +# assigning severity to events with entropy scores calculated by freq; +# a lower value will only assign severity scores to fewer domain names with higher entropy +FREQ_SEVERITY_THRESHOLD=2.0 +# When severity scoring is enabled, this variable indicates the size threshold (in megabytes) +# for assigning severity to large connections or file transfers +TOTAL_MEGABYTES_SEVERITY_THRESHOLD=1000 +# When severity scoring is enabled, this variable indicates the duration threshold (in seconds) +# for assigning severity to long connections +CONNECTION_SECONDS_SEVERITY_THRESHOLD=3600 +# When severity scoring is enabled, this variable defines a comma-separated list of +# sensitive countries (using ISO 3166-1 alpha-2 codes) +SENSITIVE_COUNTRY_CODES=AM,AZ,BY,CN,CU,DZ,GE,HK,IL,IN,IQ,IR,KG,KP,KZ,LY,MD,MO,PK,RU,SD,SS,SY,TJ,TM,TW,UA,UZ diff --git a/config/netbox-common.env.example b/config/netbox-common.env.example new file mode 100644 index 000000000..693425208 --- /dev/null +++ b/config/netbox-common.env.example @@ -0,0 +1,12 @@ +# Parameters related to NetBox (and supporting tools). Note that other more specific parameters +# can also be configured in the env_file files for netbox* services +# The name of the default "site" to be created upon NetBox initialization, and to be queried +# for enrichment (see LOGSTASH_NETBOX_ENRICHMENT) +NETBOX_DEFAULT_SITE=Malcolm +# Whether to disable Malcolm's NetBox instance ('true') or not ('false') +NETBOX_DISABLED=true +NETBOX_POSTGRES_DISABLED=true +NETBOX_REDIS_DISABLED=true +NETBOX_REDIS_CACHE_DISABLED=true +# Whether or not to periodically query network traffic metadata and use it to populate NetBox +NETBOX_CRON=false diff --git a/config/netbox-postgres.env.example b/config/netbox-postgres.env.example new file mode 100644 index 000000000..6814396b9 --- /dev/null +++ b/config/netbox-postgres.env.example @@ -0,0 +1,4 @@ +POSTGRES_DB=netbox +POSTGRES_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXX +POSTGRES_USER=netbox +K8S_SECRET=True \ No newline at end of file diff --git a/config/netbox-redis-cache.env.example b/config/netbox-redis-cache.env.example new file mode 100644 index 000000000..b5e80205d --- /dev/null +++ b/config/netbox-redis-cache.env.example @@ -0,0 +1,2 @@ +REDIS_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXX +K8S_SECRET=True \ No newline at end of file diff --git a/config/netbox-redis.env.example b/config/netbox-redis.env.example new file mode 100644 index 000000000..b5e80205d --- /dev/null +++ b/config/netbox-redis.env.example @@ -0,0 +1,2 @@ +REDIS_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXX +K8S_SECRET=True \ No newline at end of file diff --git a/config/netbox-secret.env.example b/config/netbox-secret.env.example new file mode 100644 index 000000000..d629b84df --- /dev/null +++ b/config/netbox-secret.env.example @@ -0,0 +1,14 @@ +DB_PASSWORD=xxxxxxxxxxxxxxxx +DB_USER=netbox +EMAIL_PASSWORD= +EMAIL_USERNAME=netbox +NAPALM_PASSWORD= +NAPALM_USERNAME= +REDIS_CACHE_PASSWORD=xxxxxxxxxxxxxxxx +REDIS_PASSWORD=xxxxxxxxxxxxxxxx +SECRET_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +SUPERUSER_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +SUPERUSER_NAME=admin +SUPERUSER_PASSWORD=admin + +K8S_SECRET=True \ No newline at end of file diff --git a/netbox/env/netbox.env.example b/config/netbox.env.example similarity index 77% rename from netbox/env/netbox.env.example rename to config/netbox.env.example index 1bd31f5b3..0a8a0be98 100644 --- a/netbox/env/netbox.env.example +++ b/config/netbox.env.example @@ -1,4 +1,7 @@ CORS_ORIGIN_ALLOW_ALL=True +# If using the NetBox interface to create API tokens, set this +# (see https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins) +# CSRF_TRUSTED_ORIGINS=https://malcolm.example.org CSRF_TRUSTED_ORIGINS=http://* https://* BASE_PATH=netbox REMOTE_AUTH_ENABLED=True @@ -14,16 +17,12 @@ REMOTE_AUTH_SUPERUSERS= EXEMPT_VIEW_PERMISSIONS=* DB_HOST=netbox-postgres DB_NAME=netbox -DB_PASSWORD=xxxxxxxxxxxxxxxx -DB_USER=netbox EMAIL_FROM=netbox@bar.com -EMAIL_PASSWORD= EMAIL_PORT=25 EMAIL_SERVER=localhost EMAIL_SSL_CERTFILE= EMAIL_SSL_KEYFILE= EMAIL_TIMEOUT=5 -EMAIL_USERNAME=netbox # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`! EMAIL_USE_SSL=false EMAIL_USE_TLS=false @@ -32,25 +31,17 @@ HOUSEKEEPING_INTERVAL=86400 MAX_PAGE_SIZE=1000 MEDIA_ROOT=/opt/netbox/netbox/media METRICS_ENABLED=false -NAPALM_PASSWORD= NAPALM_TIMEOUT=10 -NAPALM_USERNAME= REDIS_CACHE_DATABASE=1 REDIS_CACHE_HOST=netbox-redis-cache REDIS_CACHE_INSECURE_SKIP_TLS_VERIFY=false -REDIS_CACHE_PASSWORD=xxxxxxxxxxxxxxxx REDIS_CACHE_SSL=false REDIS_DATABASE=0 REDIS_HOST=netbox-redis REDIS_INSECURE_SKIP_TLS_VERIFY=false -REDIS_PASSWORD=xxxxxxxxxxxxxxxx REDIS_SSL=false RELEASE_CHECK_URL=https://api.github.com/repos/netbox-community/netbox/releases -SECRET_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx SKIP_STARTUP_SCRIPTS=true SKIP_SUPERUSER=false -SUPERUSER_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx SUPERUSER_EMAIL=admin@example.com -SUPERUSER_NAME=admin -SUPERUSER_PASSWORD=admin -WEBHOOKS_ENABLED=true +WEBHOOKS_ENABLED=true \ No newline at end of file diff --git a/config/nginx.env.example b/config/nginx.env.example new file mode 100644 index 000000000..1d36a0782 --- /dev/null +++ b/config/nginx.env.example @@ -0,0 +1,9 @@ +# Whether or not nginx should use HTTPS. This is almost CERTAINLY what you want. +# The only case you may want to set this to false is if you're using another +# reverse proxy in front of Malcolm. Even if set to 'false', NGINX will still +# listen on port 443 (it just won't be encrypted). If you change this, you'll +# probably want to change "0.0.0.0:443:443" to something like +# "127.0.0.1:80:443" in the ports section for the nginx-proxy service. +NGINX_SSL=true +# Whether or not to write nginx's access.log and error.log to OpenSearch +NGINX_LOG_ACCESS_AND_ERRORS=false \ No newline at end of file diff --git a/config/opensearch.env.example b/config/opensearch.env.example new file mode 100644 index 000000000..258e23233 --- /dev/null +++ b/config/opensearch.env.example @@ -0,0 +1,49 @@ +# Used in various services to define the connection to the OpenSearch document store. +# Whether or not Malcolm will start and use its own local OpenSearch instance as its +# primary data store. Set to 'false' if you're connecting to another OpenSearch +# cluster, in which case the other environment variables in this section must also +# be set with the connection parameters. +OPENSEARCH_LOCAL=true +# URL for connecting to OpenSearch instance. When using Malcolm's internal instance +# of OpenSearch (i.e., OPENSEARCH_LOCAL is 'true') this should be +# 'http://opensearch:9200', otherwise specify the primary remote instance URL +# in the format 'protocol://host:port'. +OPENSEARCH_URL=http://opensearch:9200 +# Used when OPENSEARCH_LOCAL is 'false', the cURL-formatted config file contains login +# credentials for the primary OpenSearch instance. It can be generated for you by the +# ./scripts/auth_setup script. The notable parameters expected from this file would be +# user (with a "user:password" value) and "insecure" (if the certificate verification +# setting below is 'false'). See cURL config file format at +# https://everything.curl.dev/cmdline/configfile. This file is bind mounted locally +# from .opensearch.primary.curlrc as /var/local/curlrc/.opensearch.primary.curlrc +OPENSEARCH_CREDS_CONFIG_FILE=/var/local/curlrc/.opensearch.primary.curlrc +# Whether or not connections to the primary remote OpenSearch instance require full +# TLS certificate validation for the connection (this may fail if using self-signed +# certificates). +OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=false +# Whether or not Malcolm's Logstash instance will forward logs to a secondary remote +# OpenSearch instance in addition to the (local or remote) primary instance. +OPENSEARCH_SECONDARY=false +# URL for connecting to the secondary remote OpenSearch instance, specified +# in the format 'protocol://host:port'. +OPENSEARCH_SECONDARY_URL= +# Used when OPENSEARCH_SECONDARY is 'true', the cURL-formatted config file contains login +# credentials for the secondary OpenSearch instance. The comments describing +# OPENSEARCH_CREDS_CONFIG_FILE above also apply here. This file is bind mounted locally +# from .opensearch.secondary.curlrc as /var/local/curlrc/.opensearch.secondary.curlrc +OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE=/var/local/curlrc/.opensearch.secondary.curlrc +# Whether or not connections to the secondary remote OpenSearch instance require full +# TLS certificate validation for the connection (this may fail if using self-signed +# certificates). +OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION=false +# OpenSearch memory allowance and other Java options +OPENSEARCH_JAVA_OPTS=-server -Xms4g -Xmx4g -Xss256k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true + +logger.level=WARN +bootstrap.memory_lock=true +MAX_LOCKED_MEMORY=unlimited +discovery.type=single-node +cluster.routing.allocation.disk.threshold_enabled=false +cluster.routing.allocation.node_initial_primaries_recoveries=8 +indices.query.bool.max_clause_count=4096 +path.repo=/opt/opensearch/backup diff --git a/config/pcap-capture.env.example b/config/pcap-capture.env.example new file mode 100644 index 000000000..997bf2b8b --- /dev/null +++ b/config/pcap-capture.env.example @@ -0,0 +1,23 @@ +# Whether or not netsniff-ng should create PCAP files from live traffic on a local +# interface for analysis by Arkime capture (should be 'false' if PCAP_ENABLE_TCPDUMP +# is 'true') +PCAP_ENABLE_NETSNIFF=false +# Whether or not tcpdump should create PCAP files from live traffic on a local +# interface for analysis by Arkime capture (should be 'false' if PCAP_ENABLE_NETSNIFF +# is 'true') +PCAP_ENABLE_TCPDUMP=false +# Specifies local network interface(s) for local packet capture if PCAP_ENABLE_NETSNIFF, +# PCAP_ENABLE_TCPDUMP, ZEEK_LIVE_CAPTURE or SURICATA_LIVE_CAPTURE are 'true +PCAP_IFACE=lo +# Whether or not ethtool will disable NIC hardware offloading features and adjust +# ring buffer sizes for capture interface(s) (should be 'true' if the interface(s) are +# being used for capture only, 'false' if they are being used for management/communication) +PCAP_IFACE_TWEAK=false +# Specifies how large a locally-captured PCAP file can become (in megabytes) before +# it is closed for processing and a new PCAP file created +PCAP_ROTATE_MEGABYTES=4096 +# Specifies a time interval (in minutes) after which a locally-captured PCAP file +# will be closed for processing and a new PCAP file created +PCAP_ROTATE_MINUTES=10 +# Specifies a tcpdump-style filter expression for local packet capture ('' to capture all traffic) +PCAP_FILTER= \ No newline at end of file diff --git a/config/process.env.example b/config/process.env.example new file mode 100644 index 000000000..9cd2b8f71 --- /dev/null +++ b/config/process.env.example @@ -0,0 +1,7 @@ +# docker containers will run processes as unprivileged user with UID:GID +PUID=1000 +PGID=1000 +# for debugging container init via tini (https://github.com/krallin/tini) +TINI_VERBOSITY=1 +# for handling configmap/secrets files/directories +CONFIG_MAP_DIR=configmap;secretmap \ No newline at end of file diff --git a/config/ssl.env.example b/config/ssl.env.example new file mode 100644 index 000000000..44a500741 --- /dev/null +++ b/config/ssl.env.example @@ -0,0 +1,3 @@ +# When possible, docker containers will automatically add trusted CA certificate files +# found in the ./nginx/ca-trust directory (which is bind mounted to /ca-trust). +PUSER_CA_TRUST=/var/local/ca-trust \ No newline at end of file diff --git a/config/suricata-live.env.example b/config/suricata-live.env.example new file mode 100644 index 000000000..3fd9e045c --- /dev/null +++ b/config/suricata-live.env.example @@ -0,0 +1,8 @@ +# Whether or not Suricata should monitor live traffic on a local +# interface (PCAP_IFACE variable below specifies capture interfaces) +SURICATA_LIVE_CAPTURE=false +# Specifies the Suricata runmode for live capture (see +# https://suricata.readthedocs.io/en/latest/performance/runmodes.html) +SURICATA_RUNMODE=workers + +SURICATA_PCAP_PROCESSOR=false \ No newline at end of file diff --git a/config/suricata-offline.env.example b/config/suricata-offline.env.example new file mode 100644 index 000000000..68f7e69b1 --- /dev/null +++ b/config/suricata-offline.env.example @@ -0,0 +1,12 @@ +# Whether or not Suricata should analyze uploaded PCAP files +SURICATA_AUTO_ANALYZE_PCAP_FILES=true +# The number of Suricata processes for analyzing uploaded PCAP files allowed +# to run concurrently +SURICATA_AUTO_ANALYZE_PCAP_THREADS=1 +# Whether or not Suricata should analyze captured PCAP files captured +# by netsniff-ng/tcpdump (see PCAP_ENABLE_NETSNIFF and PCAP_ENABLE_TCPDUMP +# below). If SURICATA_LIVE_CAPTURE is true, this should be false: otherwise +# Suricata will see duplicate traffic. +SURICATA_ROTATED_PCAP=true + +SURICATA_PCAP_PROCESSOR=true \ No newline at end of file diff --git a/config/suricata.env.example b/config/suricata.env.example new file mode 100644 index 000000000..a1dcad99a --- /dev/null +++ b/config/suricata.env.example @@ -0,0 +1,10 @@ +# Whether or not the default Suricata ruleset will be ignored and only custom rules used +SURICATA_CUSTOM_RULES_ONLY=false +SURICATA_UPDATE_RULES=false +SURICATA_UPDATE_DEBUG=false +SURICATA_UPDATE_ETOPEN=true +# suricata_config_populate.py can use MANY more environment variables to tweak +# suricata.yaml (see https://github.com/OISF/suricata/blob/master/suricata.yaml.in and +# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html). +# DEFAULT_VARS in that script defines those variables (albeit without the +# required `SURICATA_` prefixing each) diff --git a/config/upload-common.env.example b/config/upload-common.env.example new file mode 100644 index 000000000..ad55df213 --- /dev/null +++ b/config/upload-common.env.example @@ -0,0 +1,23 @@ +# Whether or not to automatically apply tags based (on the PCAP filename) to network traffic metadata +# parsed from uploaded PCAP files +AUTO_TAG=true +# The node name (e.g., the hostname of this machine running Malcolm) to associate with +# network traffic metadata +PCAP_NODE_NAME=malcolm +# Verbosity flag for pcap pipeline debugging (e.g., -v, -vv, -vvv, etc.) +PCAP_PIPELINE_VERBOSITY= +# Whether or not PCAP files extant in ./pcap/ will be ignored on startup +PCAP_PIPELINE_IGNORE_PREEXISTING=false +# Whether or not to use polling vs. native inotify API to watch for files +PCAP_PIPELINE_POLLING=false +# When polling, seconds of inactivity to assume a file is closed and ready for processing +PCAP_PIPELINE_POLLING_ASSUME_CLOSED_SEC=10 +# 'pcap-monitor' to match the name of the container providing the uploaded/captured PCAP file +# monitoring service +PCAP_MONITOR_HOST=pcap-monitor +# The age (in minutes) at which already-processed log files containing network traffic metadata should +# be pruned from the filesystem +LOG_CLEANUP_MINUTES=360 +# The age (in minutes) at which the compressed archives containing already-processed log files should +# be pruned from the filesystem +ZIP_CLEANUP_MINUTES=720 \ No newline at end of file diff --git a/config/upload.env.example b/config/upload.env.example new file mode 100644 index 000000000..ebc4e3d25 --- /dev/null +++ b/config/upload.env.example @@ -0,0 +1 @@ +SITE_NAME=Capture File and Log Archive Upload \ No newline at end of file diff --git a/config/zeek-live.env.example b/config/zeek-live.env.example new file mode 100644 index 000000000..ab8f03680 --- /dev/null +++ b/config/zeek-live.env.example @@ -0,0 +1,9 @@ +# Whether or not Zeek should monitor live traffic on a local +# interface (PCAP_IFACE variable below specifies capture interfaces) +ZEEK_LIVE_CAPTURE=false + +ZEEK_PCAP_PROCESSOR=false +ZEEK_CRON=true +ZEEK_LOG_PATH=zeek/live +ZEEK_INTEL_PATH=opt/zeek/share/zeek/site/intel +EXTRACT_FILES_PATH=zeek/extract_files \ No newline at end of file diff --git a/config/zeek-offline.env.example b/config/zeek-offline.env.example new file mode 100644 index 000000000..f57f536b0 --- /dev/null +++ b/config/zeek-offline.env.example @@ -0,0 +1,13 @@ +# Whether or not Zeek should analyze uploaded PCAP files +ZEEK_AUTO_ANALYZE_PCAP_FILES=true +# The number of Zeek processes for analyzing uploaded PCAP files allowed +# to run concurrently +ZEEK_AUTO_ANALYZE_PCAP_THREADS=1 +# Whether or not Zeek should analyze captured PCAP files captured +# by netsniff-ng/tcpdump (see PCAP_ENABLE_NETSNIFF and PCAP_ENABLE_TCPDUMP +# below). If ZEEK_LIVE_CAPTURE is true, this should be false: otherwise +# Zeek will see duplicate traffic. +ZEEK_ROTATED_PCAP=true + +ZEEK_PCAP_PROCESSOR=true +ZEEK_CRON=false \ No newline at end of file diff --git a/config/zeek-secret.env.example b/config/zeek-secret.env.example new file mode 100644 index 000000000..8ce2739c6 --- /dev/null +++ b/config/zeek-secret.env.example @@ -0,0 +1,5 @@ +# A VirusTotal Public API v.20 used to submit hashes of Zeek-extracted files +VTOT_API2_KEY=0 +# Specifies the AES-256-CBC decryption password for encrypted Zeek-extracted files served over HTTP +EXTRACTED_FILE_HTTP_SERVER_KEY=quarantined +K8S_SECRET=True \ No newline at end of file diff --git a/config/zeek.env.example b/config/zeek.env.example new file mode 100644 index 000000000..060fe1290 --- /dev/null +++ b/config/zeek.env.example @@ -0,0 +1,64 @@ +# Specifies the value for Zeek's Intel::item_expiration timeout (-1min to disable) +ZEEK_INTEL_ITEM_EXPIRATION=-1min +# When querying a TAXII or MISP feed, only process threat indicators that have +# been created or modified since the time represented by this value; +# it may be either a fixed date/time (01/01/2021) or relative interval (30 days ago) +ZEEK_INTEL_FEED_SINCE= +# Specifies a cron expression indicating the refresh interval for generating the +# Zeek Intelligence Framework files ('' disables automatic refresh) +ZEEK_INTEL_REFRESH_CRON_EXPRESSION= +# Determines the file extraction behavior for file transfers detected by Zeek +ZEEK_EXTRACTOR_MODE=none +# Whether or not to use polling vs. native inotify API to watch for files +EXTRACTED_FILE_WATCHER_POLLING=false +# When polling, seconds of inactivity to assume a file is closed and ready for processing +EXTRACTED_FILE_WATCHER_POLLING_ASSUME_CLOSED_SEC=10 +# Whether or not files extant in ./zeek-logs/extract_files/ will be ignored on startup +EXTRACTED_FILE_IGNORE_EXISTING=false +# Determines the behavior for preservation of Zeek-extracted files +EXTRACTED_FILE_PRESERVATION=quarantined +# The minimum size (in bytes) for files to be extracted by Zeek +EXTRACTED_FILE_MIN_BYTES=64 +# The maximum size (in bytes) for files to be extracted by Zeek +EXTRACTED_FILE_MAX_BYTES=134217728 +# Rate limiting for VirusTotal, ClamAV, YARA and capa with Zeek-extracted files +VTOT_REQUESTS_PER_MINUTE=4 +CLAMD_MAX_REQUESTS=8 +YARA_MAX_REQUESTS=8 +CAPA_MAX_REQUESTS=4 +# Whether or not YARA will scan Zeek-extracted files +EXTRACTED_FILE_ENABLE_YARA=false +# Whether or not the default YARA ruleset will be ignored and only custom rules used +EXTRACTED_FILE_YARA_CUSTOM_ONLY=false +# Whether or not capa will scan Zeek-extracted executables +EXTRACTED_FILE_ENABLE_CAPA=false +# Whether or not capa will be extra verbose +EXTRACTED_FILE_CAPA_VERBOSE=false +# Whether or not ClamAV will scan Zeek-extracted executables +EXTRACTED_FILE_ENABLE_CLAMAV=false +# Whether or not to regularly update rule definitions for file scanning engines +EXTRACTED_FILE_UPDATE_RULES=false +# Verbosity flag for extracted file pipeline debugging (e.g., -v, -vv, -vvv, etc.) +EXTRACTED_FILE_PIPELINE_VERBOSITY= +# Whether or not to serve the directory containing Zeek-extracted over HTTP at ./extracted-files/ +EXTRACTED_FILE_HTTP_SERVER_ENABLE=false +# Whether or not Zeek-extracted files served over HTTP will be AES-256-CBC-encrypted +EXTRACTED_FILE_HTTP_SERVER_ENCRYPT=true +# Environment variables for tweaking Zeek at runtime (see local.zeek) +# Set to any non-blank value to disable the corresponding feature +ZEEK_DISABLE_HASH_ALL_FILES= +ZEEK_DISABLE_LOG_PASSWORDS= +ZEEK_DISABLE_SSL_VALIDATE_CERTS= +ZEEK_DISABLE_TRACK_ALL_ASSETS= +ZEEK_DISABLE_BEST_GUESS_ICS=true +ZEEK_DISABLE_SPICY_DHCP=true +ZEEK_DISABLE_SPICY_DNS=true +ZEEK_DISABLE_SPICY_HTTP=true +ZEEK_DISABLE_SPICY_IPSEC= +ZEEK_DISABLE_SPICY_LDAP= +ZEEK_DISABLE_SPICY_OPENVPN= +ZEEK_DISABLE_SPICY_STUN= +ZEEK_DISABLE_SPICY_TAILSCALE= +ZEEK_DISABLE_SPICY_TFTP= +ZEEK_DISABLE_SPICY_WIREGUARD= +ZEEK_SYNCHROPHASOR_DETAILED= \ No newline at end of file diff --git a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json index b43c3c475..168a63b2d 100644 --- a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json +++ b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json @@ -112,7 +112,7 @@ "version": "Wzc0MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json index 4cd8be739..113bae5ca 100644 --- a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json +++ b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json @@ -87,7 +87,7 @@ "version": "Wzc5NSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json index 400c4a68a..9794d1f77 100644 --- a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json +++ b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json @@ -92,7 +92,7 @@ "version": "Wzg3OSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json index 8a087ca3d..010a1fa65 100644 --- a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json +++ b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json index 88152f6a0..e648c3164 100644 --- a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json +++ b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json @@ -87,7 +87,7 @@ "version": "WzkzNiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json index 64e92c1b7..aa545fa32 100644 --- a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json +++ b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json @@ -87,7 +87,7 @@ "version": "Wzc5NSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json index 0d4e47fc8..aa52e0c61 100644 --- a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json +++ b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json index 2fbcb1e8b..46e49a6b9 100644 --- a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json +++ b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json index 742195812..14bf63445 100644 --- a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json +++ b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json @@ -82,7 +82,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json index 95211d9d5..d38c0c5aa 100644 --- a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json +++ b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json index 2bc42ed26..58b3af7bb 100644 --- a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json +++ b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json @@ -82,7 +82,7 @@ "version": "Wzc1NSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json index 013f4b224..f99101751 100644 --- a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json +++ b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json @@ -117,7 +117,7 @@ "version": "WzgxOSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json index 6dc85898b..d37b1f509 100644 --- a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json +++ b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json @@ -92,7 +92,7 @@ "version": "WzkzNiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json index ecd237ca6..34e61f1aa 100644 --- a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json index 3fd5118b6..4a8c8e603 100644 --- a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json +++ b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json @@ -72,7 +72,7 @@ "version": "Wzc4NCwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json index 22211085c..965fadb4e 100644 --- a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json @@ -102,7 +102,7 @@ "version": "Wzc4NSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json index f4955b831..4045deae4 100644 --- a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json b/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json new file mode 100644 index 000000000..121a4f698 --- /dev/null +++ b/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json @@ -0,0 +1,641 @@ +{ + "version": "2.6.0", + "objects": [ + { + "id": "2cc56240-e460-11ed-a9d5-9f591c284cb4", + "type": "dashboard", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:48:24.081Z", + "version": "Wzk1MSwxXQ==", + "attributes": { + "title": "Synchrophasor", + "hits": 0, + "description": "Dashboard for the DNP3 Protocol", + "panelsJSON": "[{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":13,\"h\":18,\"i\":\"38d18152-c0f9-436b-a19d-ac76cfbc1bac\"},\"panelIndex\":\"38d18152-c0f9-436b-a19d-ac76cfbc1bac\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":21,\"y\":0,\"w\":27,\"h\":18,\"i\":\"b3c290e3-6d8f-4616-beaa-f5183a0d5208\"},\"panelIndex\":\"b3c290e3-6d8f-4616-beaa-f5183a0d5208\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":8,\"y\":18,\"w\":8,\"h\":19,\"i\":\"faf91692-201a-47c1-9439-62cb71e577de\"},\"panelIndex\":\"faf91692-201a-47c1-9439-62cb71e577de\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":16,\"y\":18,\"w\":10,\"h\":19,\"i\":\"3a54cfa0-dc19-49ad-b63f-8e570227587d\"},\"panelIndex\":\"3a54cfa0-dc19-49ad-b63f-8e570227587d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":26,\"y\":18,\"w\":10,\"h\":19,\"i\":\"118707f0-37e5-4838-b58f-a9c75b37f021\"},\"panelIndex\":\"118707f0-37e5-4838-b58f-a9c75b37f021\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":36,\"y\":18,\"w\":12,\"h\":19,\"i\":\"3a76fd84-afcf-4c18-b378-c2434c1c2ce3\"},\"panelIndex\":\"3a76fd84-afcf-4c18-b378-c2434c1c2ce3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":8,\"h\":13,\"i\":\"3033af99-af03-4def-b524-55bf5706e9e7\"},\"panelIndex\":\"3033af99-af03-4def-b524-55bf5706e9e7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":8,\"y\":37,\"w\":10,\"h\":19,\"i\":\"063f5459-fca9-4f55-b0a8-5fc15d59e1e2\"},\"panelIndex\":\"063f5459-fca9-4f55-b0a8-5fc15d59e1e2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":18,\"y\":37,\"w\":10,\"h\":19,\"i\":\"668fcd2b-fcb1-468e-89af-d10a89e66992\"},\"panelIndex\":\"668fcd2b-fcb1-468e-89af-d10a89e66992\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":28,\"y\":37,\"w\":10,\"h\":19,\"i\":\"7ad5b38e-aa33-45b2-83b5-650ea45778f5\"},\"panelIndex\":\"7ad5b38e-aa33-45b2-83b5-650ea45778f5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":38,\"y\":37,\"w\":10,\"h\":19,\"i\":\"b94ddaeb-f509-401c-8f14-ae0d4c363dc8\"},\"panelIndex\":\"b94ddaeb-f509-401c-8f14-ae0d4c363dc8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":43,\"w\":8,\"h\":13,\"i\":\"8fd25887-38e9-4cb7-8c85-f659f2337b65\"},\"panelIndex\":\"8fd25887-38e9-4cb7-8c85-f659f2337b65\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":18,\"i\":\"2e030d08-7422-4420-9c32-515ea641f5ec\"},\"panelIndex\":\"2e030d08-7422-4420-9c32-515ea641f5ec\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":74,\"w\":48,\"h\":18,\"i\":\"44849c88-bbe0-4907-94a6-4a930b3bf61c\"},\"panelIndex\":\"44849c88-bbe0-4907-94a6-4a930b3bf61c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":92,\"w\":48,\"h\":24,\"i\":\"8afdbe78-d879-4285-b589-769e1f006ebf\"},\"panelIndex\":\"8afdbe78-d879-4285-b589-769e1f006ebf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":116,\"w\":48,\"h\":22,\"i\":\"dba8956a-61cf-4d3a-a691-07a97072b51c\"},\"panelIndex\":\"dba8956a-61cf-4d3a-a691-07a97072b51c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_16\"}]", + "optionsJSON": "{\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "panel_0", + "type": "visualization", + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" + }, + { + "name": "panel_1", + "type": "visualization", + "id": "a4acba10-e460-11ed-a9d5-9f591c284cb4" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "f3dffed0-e460-11ed-a9d5-9f591c284cb4" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "2928e520-e461-11ed-a9d5-9f591c284cb4" + }, + { + "name": "panel_4", + "type": "visualization", + "id": "606cff30-e461-11ed-a9d5-9f591c284cb4" + }, + { + "name": "panel_5", + "type": "visualization", + "id": "e286d040-e461-11ed-a9d5-9f591c284cb4" + }, + { + "name": "panel_6", + "type": "visualization", + "id": "28c384e0-e467-11ed-be6f-077da9a43874" + }, + { + "name": "panel_7", + "type": "visualization", + "id": "9ba20280-e461-11ed-a9d5-9f591c284cb4" + }, + { + "name": "panel_8", + "type": "visualization", + "id": "b2f24660-e467-11ed-be6f-077da9a43874" + }, + { + "name": "panel_9", + "type": "visualization", + "id": "6fe5f7e0-e467-11ed-be6f-077da9a43874" + }, + { + "name": "panel_10", + "type": "visualization", + "id": "8d694670-e465-11ed-be6f-077da9a43874" + }, + { + "name": "panel_11", + "type": "visualization", + "id": "fa71b860-e465-11ed-be6f-077da9a43874" + }, + { + "name": "panel_12", + "type": "visualization", + "id": "a7f2ae90-e466-11ed-be6f-077da9a43874" + }, + { + "name": "panel_13", + "type": "visualization", + "id": "9af335d0-e46a-11ed-be6f-077da9a43874" + }, + { + "name": "panel_14", + "type": "visualization", + "id": "6ed03030-e469-11ed-be6f-077da9a43874" + }, + { + "name": "panel_15", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + }, + { + "name": "panel_16", + "type": "search", + "id": "53729e40-e45f-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "dashboard": "7.9.3" + } + }, + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T18:57:19.151Z", + "version": "Wzg0OSwxXQ==", + "attributes": { + "title": "Network Logs", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "a4acba10-e460-11ed-a9d5-9f591c284cb4", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T18:56:23.870Z", + "version": "WzIwOSwxXQ==", + "attributes": { + "title": "Synchrophasor - Log Count", + "visState": "{\"title\":\"Synchrophasor - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "f3dffed0-e460-11ed-a9d5-9f591c284cb4", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T18:56:23.870Z", + "version": "WzIxMCwxXQ==", + "attributes": { + "title": "Synchrophasor - Log Count Over Time", + "visState": "{\"title\":\"Synchrophasor - Log Count Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "53729e40-e45f-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "2928e520-e461-11ed-a9d5-9f591c284cb4", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T18:56:23.870Z", + "version": "WzIxMSwxXQ==", + "attributes": { + "title": "Synchrophasor - Source", + "visState": "{\"title\":\"Synchrophasor - Source\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "53729e40-e45f-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "606cff30-e461-11ed-a9d5-9f591c284cb4", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T18:56:23.870Z", + "version": "WzIxMiwxXQ==", + "attributes": { + "title": "Synchrophasor - Destination", + "visState": "{\"title\":\"Synchrophasor - Destination\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "53729e40-e45f-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "e286d040-e461-11ed-a9d5-9f591c284cb4", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:08:46.643Z", + "version": "Wzk0MCwxXQ==", + "attributes": { + "title": "Synchrophasor - Action", + "visState": "{\"title\":\"Synchrophasor - Action\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "28c384e0-e467-11ed-be6f-077da9a43874", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:18:43.502Z", + "version": "Wzk0NCwxXQ==", + "attributes": { + "title": "Synchrophasor - Frame Types", + "visState": "{\"title\":\"Synchrophasor - Frame Types\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.synchrophasor.frame_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Frame Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "9ba20280-e461-11ed-a9d5-9f591c284cb4", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T18:56:23.870Z", + "version": "WzIxNCwxXQ==", + "attributes": { + "title": "Synchrophasor - Transport", + "visState": "{\"title\":\"Synchrophasor - Transport\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Transport\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "53729e40-e45f-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "b2f24660-e467-11ed-be6f-077da9a43874", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:22:35.332Z", + "version": "Wzk0NiwxXQ==", + "attributes": { + "title": "Synchrophasor - Stations", + "visState": "{\"title\":\"Synchrophasor - Stations\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.synchrophasor_cfg_detail.station_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Station\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "6fe5f7e0-e467-11ed-be6f-077da9a43874", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:20:42.844Z", + "version": "Wzk0NSwxXQ==", + "attributes": { + "title": "Synchrophasor - Phasors", + "visState": "{\"title\":\"Synchrophasor - Phasors\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.synchrophasor_cfg_detail.phnam\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Phasor\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "8d694670-e465-11ed-be6f-077da9a43874", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:07:13.365Z", + "version": "WzkzNywxXQ==", + "attributes": { + "title": "Synchrophasor - Analog Channels", + "visState": "{\"title\":\"Synchrophasor - Analog Channels\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.synchrophasor_cfg_detail.annam\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Analog Channel\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "fa71b860-e465-11ed-be6f-077da9a43874", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:10:16.291Z", + "version": "Wzk0MSwxXQ==", + "attributes": { + "title": "Synchrophasor - Digital Channels", + "visState": "{\"title\":\"Synchrophasor - Digital Channels\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.synchrophasor_cfg_detail.dgnam\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Digital Channel\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "a7f2ae90-e466-11ed-be6f-077da9a43874", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:15:07.383Z", + "version": "Wzk0MiwxXQ==", + "attributes": { + "title": "Synchrophasor - Data Modified", + "visState": "{\"title\":\"Synchrophasor - Data Modified\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.synchrophasor_data_detail.data_modified\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Data Modified\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "9af335d0-e46a-11ed-be6f-077da9a43874", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:43:23.563Z", + "version": "Wzk1MCwxXQ==", + "attributes": { + "title": "Synchrophasor - Rate of Change of Frequency Over Time", + "visState": "{\"title\":\"Synchrophasor - Rate of Change of Frequency Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"zeek.synchrophasor_data_detail.rocof\",\"customLabel\":\"ROCOF (Hz/sec * 100)\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"radius\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"ROCOF (Hz/sec * 100)\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"ROCOF (Hz/sec * 100)\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":false,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"radiusRatio\":25}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "6ed03030-e469-11ed-be6f-077da9a43874", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T19:35:00.017Z", + "version": "Wzk0OCwxXQ==", + "attributes": { + "title": "Synchrophasor - Frequency Deviation From Nominal Over Time", + "visState": "{\"title\":\"Synchrophasor - Frequency Deviation From Nominal Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"zeek.synchrophasor_data_detail.freq_dev_mhz\",\"customLabel\":\"Maximum frequency deviation from nominal (mHz)\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Maximum frequency deviation from nominal (mHz)\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Maximum frequency deviation from nominal (mHz)\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "031207a0-e460-11ed-a9d5-9f591c284cb4", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T18:56:23.870Z", + "version": "WzIxNSwxXQ==", + "attributes": { + "title": "Synchrophasor and Related - Logs", + "description": "", + "hits": 0, + "columns": [ + "event.dataset", + "network.transport", + "source.ip", + "destination.ip", + "destination.port", + "zeek.synchrophasor.frame_type", + "event.action", + "totDataBytes", + "zeek.uid" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:synchrophasor*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "arkime_sessions3-*" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + }, + { + "id": "53729e40-e45f-11ed-a9d5-9f591c284cb4", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2023-04-26T18:56:23.870Z", + "version": "WzIxNiwxXQ==", + "attributes": { + "title": "Synchrophasor - Logs", + "description": "", + "hits": 0, + "columns": [ + "network.transport", + "network.protocol_version", + "source.ip", + "destination.ip", + "destination.port", + "zeek.synchrophasor.data_stream_id", + "zeek.synchrophasor.history", + "zeek.synchrophasor.data_rate", + "zeek.synchrophasor.data_frame_count", + "zeek.synchrophasor.frame_size_tot", + "zeek.uid" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:synchrophasor\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "arkime_sessions3-*" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + } + ] +} \ No newline at end of file diff --git a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json index 54b3c598e..3cde1eb35 100644 --- a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json +++ b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json @@ -107,7 +107,7 @@ "version": "Wzg3OSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json index 015df968f..290af940b 100644 --- a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json +++ b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json @@ -117,7 +117,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json index 3b77db2d0..d40c44f5a 100644 --- a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json +++ b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json @@ -72,7 +72,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json index 1bfb6dd9d..ff1f72d69 100644 --- a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json +++ b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json @@ -97,7 +97,7 @@ "version": "Wzc2OSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json index ffcd9030c..590725d93 100644 --- a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json +++ b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json @@ -127,7 +127,7 @@ "version": "WzgwNSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json index c75a75741..8850daf59 100644 --- a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json index f71809251..ad9446029 100644 --- a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json +++ b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json @@ -102,7 +102,7 @@ "version": "WzkzNywxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json index 78dd9730f..9a0748b3b 100644 --- a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json +++ b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json @@ -97,7 +97,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json index 3716a5d5f..2888504dd 100644 --- a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json +++ b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json @@ -82,7 +82,7 @@ "version": "Wzg4MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json index 64358c88b..829073e75 100644 --- a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json +++ b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json index ad9aa8a11..01ac8d835 100644 --- a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json +++ b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json @@ -87,7 +87,7 @@ "version": "Wzg3NCwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json index 02fec7b95..68dc7db3e 100644 --- a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json +++ b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json @@ -97,7 +97,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json index 01742676e..87df8a899 100644 --- a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json +++ b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json @@ -97,7 +97,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json index 7308b1224..c28f5a03c 100644 --- a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json @@ -47,7 +47,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json index 2f8f4e0c5..f8058b80d 100644 --- a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json +++ b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json @@ -97,7 +97,7 @@ "version": "Wzc4NCwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json index a7b88339d..eb3b6090a 100644 --- a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json +++ b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json index b650c0ca8..937af33d4 100644 --- a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json +++ b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json @@ -77,7 +77,7 @@ "version": "Wzc4NCwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json index accf76c10..7eabc838c 100644 --- a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json +++ b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json @@ -117,7 +117,7 @@ "version": "WzgzNywxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json index 43d238541..c1c097be1 100644 --- a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json +++ b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json @@ -82,7 +82,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json index 0be49def4..659228b43 100644 --- a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json index 0c54cce9b..f16700c2e 100644 --- a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json +++ b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json index 247b8ac11..00bea6ecc 100644 --- a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json +++ b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json @@ -127,7 +127,7 @@ "version": "WzcyNiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json index 47b0b7650..7976e3d04 100644 --- a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json +++ b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json index 1842a16d4..24ffe312f 100644 --- a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json +++ b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json @@ -102,7 +102,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json index 508a8945e..cfdabab35 100644 --- a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json +++ b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json index e2c6301c3..53e4df327 100644 --- a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json +++ b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json @@ -62,7 +62,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json b/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json index ff6fbaccc..85ecd6ffc 100644 --- a/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json +++ b/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json @@ -102,7 +102,7 @@ "version": "WzgzNywxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json index 134065b96..1f4086dc7 100644 --- a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json +++ b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json index 9ea454bc4..50ce2f5c9 100644 --- a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json +++ b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json @@ -102,7 +102,7 @@ "version": "WzgwNiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json index e2e677d8e..2cfabcde2 100644 --- a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json +++ b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json @@ -117,7 +117,7 @@ "version": "Wzc4NiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json index 35206c3cc..6342cc776 100644 --- a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json index e828cc95b..3e3552135 100644 --- a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json +++ b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json @@ -77,7 +77,7 @@ "version": "Wzc4NSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json index 628181b1c..d4e93a7ef 100644 --- a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json index df96e4aa2..220fd99fa 100644 --- a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json +++ b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json @@ -167,7 +167,7 @@ "version": "Wzc4NiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json index 706b375ae..46d6f027b 100644 --- a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json +++ b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json @@ -87,7 +87,7 @@ "version": "WzkzNywxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json index 012c754aa..e6d9794ed 100644 --- a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json +++ b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json index 520143c9d..26c32eade 100644 --- a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json +++ b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json index be97b67ec..714dc2877 100644 --- a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json index 574055151..6a3653cb7 100644 --- a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json +++ b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json index dd5769ddf..63deb6d9e 100644 --- a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json +++ b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json @@ -72,7 +72,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json index 8e5959eb6..42d728be7 100644 --- a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json +++ b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json @@ -82,7 +82,7 @@ "version": "WzY5MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json index 2f57ade45..3b00555c6 100644 --- a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json +++ b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json @@ -77,7 +77,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json index 325f2f766..81c7de66f 100644 --- a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json +++ b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json index 893de0e74..d31063c44 100644 --- a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json +++ b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json @@ -102,7 +102,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json index ebd3730a2..093afa901 100644 --- a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json +++ b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json @@ -112,7 +112,7 @@ "version": "WzczOSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json index e7cea00e1..4ab0a7d62 100644 --- a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json index 9dd79bbf8..b70dd3203 100644 --- a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json +++ b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json index fa06a8a2b..233689446 100644 --- a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json +++ b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json @@ -107,7 +107,7 @@ "version": "WzgzOCwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json index 7c5b69a92..b90546042 100644 --- a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json +++ b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json index 217fef8cb..8e9e8ec31 100644 --- a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json @@ -87,7 +87,7 @@ "version": "WzgwMSwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json index 97b0c5cbe..5aa84af44 100644 --- a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json @@ -47,7 +47,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json index 57ff8d1c0..d2eb7eb48 100644 --- a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json +++ b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json @@ -137,7 +137,7 @@ "version": "Wzc4NCwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json index 6f551e215..109b52b49 100644 --- a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json +++ b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json index 253051813..d426b9281 100644 --- a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json +++ b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json @@ -102,7 +102,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json index 87a04672e..e02b32e9a 100644 --- a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json +++ b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json @@ -77,7 +77,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json index 607dac9e4..d4db6934a 100644 --- a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json +++ b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json @@ -102,7 +102,7 @@ "version": "WzkzNywxXQ==", "attributes": { "title": "Network Logs", - "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/notifications/channels/malcolm_api_loopback_webhook.json b/dashboards/notifications/channels/malcolm_api_loopback_webhook.json index 7046f94d9..d4ae6c3ba 100644 --- a/dashboards/notifications/channels/malcolm_api_loopback_webhook.json +++ b/dashboards/notifications/channels/malcolm_api_loopback_webhook.json @@ -6,7 +6,7 @@ "description": "Malcolm API webhook to index OpenSearch alerts as session documents", "config_type": "webhook", "webhook": { - "url": "http://api:5000/alert", + "url": "http://api:5000/mapi/alert", "method": "POST", "header_params": { "Content-Type": "application/json" diff --git a/dashboards/scripts/create-arkime-sessions-index.sh b/dashboards/scripts/create-arkime-sessions-index.sh index feb6b9497..985daa03a 100755 --- a/dashboards/scripts/create-arkime-sessions-index.sh +++ b/dashboards/scripts/create-arkime-sessions-index.sh @@ -38,7 +38,7 @@ if [[ "$CREATE_OS_ARKIME_SESSION_INDEX" = "true" ]] ; then if [[ "$LOOP" == "primary" ]]; then OPENSEARCH_URL_TO_USE=${OPENSEARCH_URL:-"http://opensearch:9200"} OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"} - OPENSEARCH_CREDS_CONFIG_FILE_TO_USE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"} + OPENSEARCH_CREDS_CONFIG_FILE_TO_USE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.primary.curlrc"} if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE_TO_USE" ]]; then CURL_CONFIG_PARAMS=( --config @@ -51,7 +51,7 @@ if [[ "$CREATE_OS_ARKIME_SESSION_INDEX" = "true" ]] ; then elif [[ "$LOOP" == "secondary" ]] && [[ "${OPENSEARCH_SECONDARY:-"false"}" == "true" ]] && [[ -n "${OPENSEARCH_SECONDARY_URL:-""}" ]]; then OPENSEARCH_URL_TO_USE=$OPENSEARCH_SECONDARY_URL OPENSEARCH_LOCAL=false - OPENSEARCH_CREDS_CONFIG_FILE_TO_USE=${OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE:-"/var/local/opensearch.secondary.curlrc"} + OPENSEARCH_CREDS_CONFIG_FILE_TO_USE=${OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.secondary.curlrc"} if [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE_TO_USE" ]]; then CURL_CONFIG_PARAMS=( --config diff --git a/dashboards/scripts/docker_entrypoint.sh b/dashboards/scripts/docker_entrypoint.sh index 7b41be316..de78e2737 100755 --- a/dashboards/scripts/docker_entrypoint.sh +++ b/dashboards/scripts/docker_entrypoint.sh @@ -6,7 +6,7 @@ FINAL_YML=/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"} OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"} -OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"} +OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.primary.curlrc"} if [[ -f "$ORIG_YML" ]]; then cp "$ORIG_YML" "$FINAL_YML" @@ -16,7 +16,7 @@ if [[ -f "$ORIG_YML" ]]; then OPENSSL_PASSWORD= if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then pushd "$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" >/dev/null 2>&1 - NEW_USER_PASSWORD="$(python3 -c "import malcolm_common; result=malcolm_common.ParseCurlFile('$OPENSEARCH_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")" + NEW_USER_PASSWORD="$(python3 -c "import malcolm_utils; result=malcolm_utils.ParseCurlFile('$OPENSEARCH_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")" OPENSSL_USER="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f1)" OPENSSL_PASSWORD="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f2-)" popd >/dev/null 2>&1 diff --git a/dashboards/scripts/index-refresh.py b/dashboards/scripts/index-refresh.py index 3f4bb3518..06a6c9911 100755 --- a/dashboards/scripts/index-refresh.py +++ b/dashboards/scripts/index-refresh.py @@ -3,7 +3,7 @@ import argparse import json -import malcolm_common +import malcolm_utils import re import requests import os @@ -29,6 +29,7 @@ origPath = os.getcwd() urllib3.disable_warnings() + ################################################################################################### # print to stderr def eprint(*args, **kwargs): @@ -88,7 +89,7 @@ def main(): dest='opensearchCurlRcFile', metavar='', type=str, - default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc'), + default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/curlrc/.opensearch.primary.curlrc'), help='cURL.rc formatted file containing OpenSearch connection parameters', ) parser.add_argument( @@ -148,7 +149,7 @@ def main(): args.opensearchIsLocal = args.opensearchIsLocal or (args.opensearchUrl == 'http://opensearch:9200') opensearchCreds = ( - malcolm_common.ParseCurlFile(args.opensearchCurlRcFile) + malcolm_utils.ParseCurlFile(args.opensearchCurlRcFile) if (not args.opensearchIsLocal) else defaultdict(lambda: None) ) @@ -199,7 +200,6 @@ def main(): eprint('Index ID for {} is {}'.format(args.index, indexId)) if indexId is not None: - # get the current fields list getFieldsResponse = requests.get( '{}/{}'.format(args.dashboardsUrl, GET_FIELDS_URI), @@ -214,7 +214,6 @@ def main(): # get the fields from the template, if specified, and merge those into the fields list if args.template is not None: try: - # request template from OpenSearch and pull the mappings/properties (field list) out getTemplateResponse = requests.get( '{}/{}/{}'.format(args.opensearchUrl, OS_GET_INDEX_TEMPLATE_URI, args.template), @@ -225,7 +224,6 @@ def main(): getTemplateResponseJson = getTemplateResponse.json() if 'index_templates' in getTemplateResponseJson: for template in getTemplateResponseJson['index_templates']: - templateFields = template['index_template']['template']['mappings']['properties'] # also include fields from component templates into templateFields before processing @@ -259,7 +257,6 @@ def main(): and ('type' in templateFields[field]) and (templateFields[field]['type'] in mergeFieldTypes) ): - # create field dict in same format as those returned by GET_FIELDS_URI above mergedFieldInfo = {} mergedFieldInfo['name'] = field @@ -321,7 +318,6 @@ def main(): fieldFormatMap = {} for field in getFieldsList: if field['name'][:1].isalpha(): - # for Arkime to query by database field name, see arkime issue/PR 1461/1463 valQuote = '"' if field['type'] == 'string' else '' valDbPrefix = '' if field['name'].startswith('zeek') else 'db:' diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json index c54b42ab3..255037c43 100644 --- a/dashboards/templates/composable/component/zeek_ot.json +++ b/dashboards/templates/composable/component/zeek_ot.json @@ -709,7 +709,94 @@ "zeek.s7comm_upload_download.function_name": { "type": "keyword"}, "zeek.s7comm_upload_download.function_status": { "type": "keyword"}, "zeek.s7comm_upload_download.rosctr_name": { "type": "keyword"}, - "zeek.s7comm_upload_download.session_id": { "type": "long"} + "zeek.s7comm_upload_download.session_id": { "type": "long"}, + "zeek.synchrophasor.data_frame_count": { "type": "long" }, + "zeek.synchrophasor.data_rate": { "type": "keyword" }, + "zeek.synchrophasor.data_stream_id": { "type": "keyword" }, + "zeek.synchrophasor.frame_size_max": { "type": "long" }, + "zeek.synchrophasor.frame_size_min": { "type": "long" }, + "zeek.synchrophasor.frame_size_tot": { "type": "long" }, + "zeek.synchrophasor.header_time_stamp": { "type": "date" }, + "zeek.synchrophasor.frame_size": { "type": "long" }, + "zeek.synchrophasor.frame_type": { "type": "keyword" }, + "zeek.synchrophasor.history": { "type": "keyword" }, + "zeek.synchrophasor.version": { "type": "keyword" }, + "zeek.synchrophasor_cfg.cfg_frame_id": { "type": "keyword" }, + "zeek.synchrophasor_cfg.cont_idx": { "type": "long" }, + "zeek.synchrophasor_cfg.pmu_count_actual": { "type": "long" }, + "zeek.synchrophasor_cfg.pmu_count_expected": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.analog_conv_analog_flags": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.analog_conv_mag_scale": { "type": "float" }, + "zeek.synchrophasor_cfg_detail.analog_conv_offset": { "type": "float" }, + "zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling": { "type": "integer" }, + "zeek.synchrophasor_cfg_detail.analog_format": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.annam": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.annmr": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.cfg_frame_id": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.cfgcnt": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.data_source_id": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.dgnam": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.dgnmr": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.fnom": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.freq_format": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.global_pmuid": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.group_delay": { "type": "integer" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj": { "type": "float" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_phunit": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_phvalue": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor": { "type": "float" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_conv_user_def": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.phasor_format": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phasor_shape": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phnam": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.phnmr": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.pmu_elev": { "type": "float" }, + "zeek.synchrophasor_cfg_detail.pmu_idx": { "type": "long" }, + "zeek.synchrophasor_cfg_detail.pmu_lat": { "type": "float" }, + "zeek.synchrophasor_cfg_detail.pmu_lon": { "type": "float" }, + "zeek.synchrophasor_cfg_detail.station_name": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.svc_class": { "type": "keyword" }, + "zeek.synchrophasor_cfg_detail.window": { "type": "integer" }, + "zeek.synchrophasor_cmd.command": { "type": "keyword" }, + "zeek.synchrophasor_cmd.extframe": { "type": "long" }, + "zeek.synchrophasor_data.data_frame_id": { "type": "keyword" }, + "zeek.synchrophasor_data.pmu_count_actual": { "type": "long" }, + "zeek.synchrophasor_data.pmu_count_expected": { "type": "long" }, + "zeek.synchrophasor_data_detail.analog_data": { "type": "float" }, + "zeek.synchrophasor_data_detail.config_change": { "type": "keyword" }, + "zeek.synchrophasor_data_detail.data_error_indicator": { "type": "long" }, + "zeek.synchrophasor_data_detail.data_frame_id": { "type": "keyword" }, + "zeek.synchrophasor_data_detail.data_modified": { "type": "keyword" }, + "zeek.synchrophasor_data_detail.data_sorting_type": { "type": "keyword" }, + "zeek.synchrophasor_data_detail.digital": { "type": "long" }, + "zeek.synchrophasor_data_detail.est_polar_angle": { "type": "float" }, + "zeek.synchrophasor_data_detail.est_polar_magnitude": { "type": "float" }, + "zeek.synchrophasor_data_detail.est_rectangular_imaginary": { "type": "float" }, + "zeek.synchrophasor_data_detail.est_rectangular_real": { "type": "float" }, + "zeek.synchrophasor_data_detail.freq_dev_mhz": { "type": "float" }, + "zeek.synchrophasor_data_detail.pmu_idx": { "type": "long" }, + "zeek.synchrophasor_data_detail.pmu_sync_error": { "type": "keyword" }, + "zeek.synchrophasor_data_detail.pmu_time_quality": { "type": "long" }, + "zeek.synchrophasor_data_detail.pmu_trigger_pickup": { "type": "keyword" }, + "zeek.synchrophasor_data_detail.rocof": { "type": "float" }, + "zeek.synchrophasor_data_detail.trigger_reason": { "type": "long" }, + "zeek.synchrophasor_data_detail.unlocked_time": { "type": "long" }, + "zeek.synchrophasor_hdr.data": { "type": "keyword" } } } } diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index 2e11c66c4..f1efc89c0 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -2,382 +2,21 @@ version: '3.7' -################################################################################ -# Commonly tweaked configuration options -#------------------------------------------------------------------------------- -x-process-variables: &process-variables - # docker containers will run processes as unprivileged user with UID:GID - PUID : 1000 - PGID : 1000 - # for debugging container init via tini (https://github.com/krallin/tini) - TINI_VERBOSITY : 1 - -x-auth-variables: &auth-variables - # authentication method: encrypted HTTP basic authentication ('true') vs LDAP ('false') - NGINX_BASIC_AUTH : 'true' - # NGINX LDAP (NGINX_BASIC_AUTH=false) can support LDAP, LDAPS, or LDAP+StartTLS. - # For StartTLS, set NGINX_LDAP_TLS_STUNNEL=true to issue the StartTLS command - # and use stunnel to tunnel the connection. - NGINX_LDAP_TLS_STUNNEL : 'false' - # stunnel will require and verify certificates for StartTLS when one or more - # trusted CA certificate files are placed in the ./nginx/ca-trust directory. - # For additional security, hostname or IP address checking of the associated - # CA certificate(s) can be enabled by providing these values. - NGINX_LDAP_TLS_STUNNEL_CHECK_HOST : '' - NGINX_LDAP_TLS_STUNNEL_CHECK_IP : '' - NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL : 2 - -x-nginx-variables: &nginx-variables - # Whether or not nginx should use HTTPS. This is almost CERTAINLY what you want. - # The only case you may want to set this to false is if you're using another - # reverse proxy in front of Malcolm. Even if set to 'false', NGINX will still - # listen on port 443 (it just won't be encrypted). If you change this, you'll - # probably want to change "0.0.0.0:443:443" to something like - # "127.0.0.1:80:443" in the ports section for the nginx-proxy service. - NGINX_SSL : 'true' - # Whether or not to write nginx's access.log and error.log to OpenSearch - NGINX_LOG_ACCESS_AND_ERRORS : 'false' - -x-ssl-variables: &ssl-variables - # When possible, docker containers will automatically add trusted CA certificate files - # found in the ./nginx/ca-trust directory (which is bind mounted to /ca-trust). - PUSER_CA_TRUST : '/var/local/ca-trust' - -x-opensearch-variables: &opensearch-variables - # Used in various services to define the connection to the OpenSearch document store. - # Whether or not Malcolm will start and use its own local OpenSearch instance as its - # primary data store. Set to 'false' if you're connecting to another OpenSearch - # cluster, in which case the other environment variables in this section must also - # be set with the connection parameters. - OPENSEARCH_LOCAL : 'true' - # URL for connecting to OpenSearch instance. When using Malcolm's internal instance - # of OpenSearch (i.e., OPENSEARCH_LOCAL is 'true') this should be - # 'http://opensearch:9200', otherwise specify the primary remote instance URL - # in the format 'protocol://host:port'. - OPENSEARCH_URL : 'http://opensearch:9200' - # Used when OPENSEARCH_LOCAL is 'false', the cURL-formatted config file contains login - # credentials for the primary OpenSearch instance. It can be generated for you by the - # ./scripts/auth_setup script. The notable parameters expected from this file would be - # user (with a "user:password" value) and "insecure" (if the certificate verification - # setting below is 'false'). See cURL config file format at - # https://everything.curl.dev/cmdline/configfile. This file is bind mounted locally - # from .opensearch.primary.curlrc as /var/local/opensearch.primary.curlrc - OPENSEARCH_CREDS_CONFIG_FILE : '/var/local/opensearch.primary.curlrc' - # Whether or not connections to the primary remote OpenSearch instance require full - # TLS certificate validation for the connection (this may fail if using self-signed - # certificates). - OPENSEARCH_SSL_CERTIFICATE_VERIFICATION : 'false' - # Whether or not Malcolm's Logstash instance will forward logs to a secondary remote - # OpenSearch instance in addition to the (local or remote) primary instance. - OPENSEARCH_SECONDARY : 'false' - # URL for connecting to the secondary remote OpenSearch instance, specified - # in the format 'protocol://host:port'. - OPENSEARCH_SECONDARY_URL : '' - # Used when OPENSEARCH_SECONDARY is 'true', the cURL-formatted config file contains login - # credentials for the secondary OpenSearch instance. The comments describing - # OPENSEARCH_CREDS_CONFIG_FILE above also apply here. This file is bind mounted locally - # from .opensearch.secondary.curlrc as /var/local/opensearch.secondary.curlrc - OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE : '/var/local/opensearch.secondary.curlrc' - # Whether or not connections to the secondary remote OpenSearch instance require full - # TLS certificate validation for the connection (this may fail if using self-signed - # certificates). - OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION : 'false' - -x-arkime-variables: &arkime-variables - # Whether or not Arkime is allowed to delete uploaded/captured PCAP (see - # https://arkime.com/faq#pcap-deletion) - MANAGE_PCAP_FILES : 'false' - # The number of Arkime capture processes allowed to run concurrently - ARKIME_ANALYZE_PCAP_THREADS : 1 - # MaxMind GeoIP database update API key (see - # https://support.maxmind.com/hc/en-us/articles/4407116112539-Using-License-Keys) - MAXMIND_GEOIP_DB_LICENSE_KEY : '0' - -x-zeek-live-variables: &zeek-live-variables - # Whether or not Zeek should monitor live traffic on a local - # interface (PCAP_IFACE variable below specifies capture interfaces) - ZEEK_LIVE_CAPTURE : 'false' - -x-zeek-offline-variables: &zeek-offline-variables - # Whether or not Zeek should analyze uploaded PCAP files - ZEEK_AUTO_ANALYZE_PCAP_FILES : 'true' - # The number of Zeek processes for analyzing uploaded PCAP files allowed - # to run concurrently - ZEEK_AUTO_ANALYZE_PCAP_THREADS : 1 - # Whether or not Zeek should analyze captured PCAP files captured - # by netsniff-ng/tcpdump (see PCAP_ENABLE_NETSNIFF and PCAP_ENABLE_TCPDUMP - # below). If ZEEK_LIVE_CAPTURE is true, this should be false: otherwise - # Zeek will see duplicate traffic. - ZEEK_ROTATED_PCAP : 'true' - -x-zeek-variables: &zeek-variables - # Specifies the value for Zeek's Intel::item_expiration timeout (-1min to disable) - ZEEK_INTEL_ITEM_EXPIRATION : '-1min' - # When querying a TAXII or MISP feed, only process threat indicators that have - # been created or modified since the time represented by this value; - # it may be either a fixed date/time (01/01/2021) or relative interval (30 days ago) - ZEEK_INTEL_FEED_SINCE : '' - # Specifies a cron expression indicating the refresh interval for generating the - # Zeek Intelligence Framework files ('' disables automatic refresh) - ZEEK_INTEL_REFRESH_CRON_EXPRESSION : '' - # Determines the file extraction behavior for file transfers detected by Zeek - ZEEK_EXTRACTOR_MODE : 'none' - # Whether or not files extant in ./zeek-logs/extract_files/ will be ignored on startup - EXTRACTED_FILE_IGNORE_EXISTING : 'false' - # Determines the behavior for preservation of Zeek-extracted files - EXTRACTED_FILE_PRESERVATION : 'quarantined' - # The minimum size (in bytes) for files to be extracted by Zeek - EXTRACTED_FILE_MIN_BYTES : 64 - # The maximum size (in bytes) for files to be extracted by Zeek - EXTRACTED_FILE_MAX_BYTES : 134217728 - # A VirusTotal Public API v.20 used to submit hashes of Zeek-extracted files - VTOT_API2_KEY : '0' - # Rate limiting for VirusTotal, ClamAV, YARA and capa with Zeek-extracted files - VTOT_REQUESTS_PER_MINUTE : 4 - CLAMD_MAX_REQUESTS : 8 - YARA_MAX_REQUESTS : 8 - CAPA_MAX_REQUESTS : 4 - # Whether or not YARA will scan Zeek-extracted files - EXTRACTED_FILE_ENABLE_YARA : 'false' - # Whether or not the default YARA ruleset will be ignored and only custom rules used - EXTRACTED_FILE_YARA_CUSTOM_ONLY : 'false' - # Whether or not capa will scan Zeek-extracted executables - EXTRACTED_FILE_ENABLE_CAPA : 'false' - # Whether or not capa will be extra verbose - EXTRACTED_FILE_CAPA_VERBOSE : 'false' - # Whether or not ClamAV will scan Zeek-extracted executables - EXTRACTED_FILE_ENABLE_CLAMAV : 'false' - # Whether or not to regularly update rule definitions for file scanning engines - EXTRACTED_FILE_UPDATE_RULES : 'false' - # Whether or not to enable debug output for Zeek-extracted file scanning - EXTRACTED_FILE_PIPELINE_DEBUG : 'false' - # Whether or not to enable very verbose debug output for Zeek-extracted file scanning - EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA : 'false' - # Whether or not to serve the directory containing Zeek-extracted over HTTP at ./extracted-files/ - EXTRACTED_FILE_HTTP_SERVER_ENABLE : 'false' - # Whether or not Zeek-extracted files served over HTTP will be AES-256-CBC-encrypted - EXTRACTED_FILE_HTTP_SERVER_ENCRYPT : 'true' - # Specifies the AES-256-CBC decryption password for encrypted Zeek-extracted files served over HTTP - EXTRACTED_FILE_HTTP_SERVER_KEY : 'quarantined' - # Environment variables for tweaking Zeek at runtime (see local.zeek) - # Set to any non-blank value to disable the corresponding feature - ZEEK_DISABLE_HASH_ALL_FILES : '' - ZEEK_DISABLE_LOG_PASSWORDS : '' - ZEEK_DISABLE_SSL_VALIDATE_CERTS : '' - ZEEK_DISABLE_TRACK_ALL_ASSETS : '' - ZEEK_DISABLE_BEST_GUESS_ICS : 'true' - ZEEK_DISABLE_SPICY_DHCP : 'true' - ZEEK_DISABLE_SPICY_DNS : 'true' - ZEEK_DISABLE_SPICY_HTTP : 'true' - ZEEK_DISABLE_SPICY_IPSEC : '' - ZEEK_DISABLE_SPICY_LDAP : '' - ZEEK_DISABLE_SPICY_OPENVPN : '' - ZEEK_DISABLE_SPICY_STUN : '' - ZEEK_DISABLE_SPICY_TAILSCALE : '' - ZEEK_DISABLE_SPICY_TFTP : '' - ZEEK_DISABLE_SPICY_WIREGUARD : '' - -x-suricata-live-variables: &suricata-live-variables - # Whether or not Suricata should monitor live traffic on a local - # interface (PCAP_IFACE variable below specifies capture interfaces) - SURICATA_LIVE_CAPTURE : 'false' - # Specifies the Suricata runmode for live capture (see - # https://suricata.readthedocs.io/en/latest/performance/runmodes.html) - SURICATA_RUNMODE : 'workers' - -x-suricata-offline-variables: &suricata-offline-variables - # Whether or not Suricata should analyze uploaded PCAP files - SURICATA_AUTO_ANALYZE_PCAP_FILES: 'true' - # The number of Suricata processes for analyzing uploaded PCAP files allowed - # to run concurrently - SURICATA_AUTO_ANALYZE_PCAP_THREADS : 1 - # Whether or not Suricata should analyze captured PCAP files captured - # by netsniff-ng/tcpdump (see PCAP_ENABLE_NETSNIFF and PCAP_ENABLE_TCPDUMP - # below). If SURICATA_LIVE_CAPTURE is true, this should be false: otherwise - # Suricata will see duplicate traffic. - SURICATA_ROTATED_PCAP : 'true' - -x-suricata-variables: &suricata-variables - # Whether or not the default Suricata ruleset will be ignored and only custom rules used - SURICATA_CUSTOM_RULES_ONLY : 'false' - SURICATA_UPDATE_RULES: 'false' - SURICATA_UPDATE_DEBUG: 'false' - SURICATA_UPDATE_ETOPEN: 'true' - # suricata_config_populate.py can use MANY more environment variables to tweak - # suricata.yaml (see https://github.com/OISF/suricata/blob/master/suricata.yaml.in and - # https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html). - # DEFAULT_VARS in that script defines those variables (albeit without the - # required `SURICATA_` prefixing each) - -x-dashboards-helper-variables: &dashboards-helper-variables - # Whether or not to set OpenSearch Dashboards to dark mode - DASHBOARDS_DARKMODE : 'true' - # The maximum cumulative size of OpenSearch indices containing network traffic metadata - # (arkime_sessions3-*) before which the oldest indices will be deleted ('' to disable - # storage-based index pruning). - OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT : '0' - # Whether to determine the "oldest" indices for storage-based index pruning by creation - # date/time ('true') or index name ('false') - OPENSEARCH_INDEX_SIZE_PRUNE_NAME_SORT : 'false' - # Parameters for the OpenSearch repository used for index snapshots - ISM_SNAPSHOT_COMPRESSED : 'false' - ISM_SNAPSHOT_REPO : 'logs' - -x-logstash-variables: &logstash-variables - # Parameters for tuning Logstash pipelines (see - # https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html) - pipeline.workers : 3 - pipeline.batch.size : 75 - pipeline.batch.delay : 50 - # Whether or not Logstash will map MAC addresses to vendors for MAC addresses - LOGSTASH_OUI_LOOKUP : 'true' - # Whether or not Logstash will perform severity scoring on network traffic metadata - LOGSTASH_SEVERITY_SCORING : 'true' - # Whether or not Logstash will perform a reverse DNS lookup for external IP addresses - LOGSTASH_REVERSE_DNS : 'false' - # Whether or not Logstash will enrich network traffic metadata directly from net-map.json - LOGSTASH_NETWORK_MAP_ENRICHMENT : 'true' - # Whether or not Logstash will enrich network traffic metadata via NetBox API calls - LOGSTASH_NETBOX_ENRICHMENT : 'false' - -x-filebeat-variables: &filebeat-variables - # filebeat parameters used for monitoring log files containing network traffic metadata - # (see https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html) - FILEBEAT_SCAN_FREQUENCY : '10s' - FILEBEAT_CLEAN_INACTIVE : '180m' - FILEBEAT_IGNORE_OLDER : '120m' - FILEBEAT_CLOSE_INACTIVE : '120s' - FILEBEAT_CLOSE_INACTIVE_LIVE : '90m' - FILEBEAT_CLOSE_RENAMED : 'true' - FILEBEAT_CLOSE_REMOVED : 'true' - FILEBEAT_CLOSE_EOF : 'true' - FILEBEAT_CLEAN_REMOVED : 'true' - # Whether or not to expose a filebeat TCP input listener (see - # https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) - FILEBEAT_TCP_LISTEN : 'false' - # Log format expected for events sent to the filebeat TCP input listener ('json' or 'raw') - FILEBEAT_TCP_LOG_FORMAT : 'raw' - # Source field name to parse (when FILEBEAT_TCP_LOG_FORMAT is 'json') for events sent to the - # filebeat TCP input listener - FILEBEAT_TCP_PARSE_SOURCE_FIELD : 'message' - # Target field name to store decoded JSON fields (when FILEBEAT_TCP_LOG_FORMAT is 'json') for - # events sent to the filebeat TCP input listener - FILEBEAT_TCP_PARSE_TARGET_FIELD : '' - # Name of field to drop (if it exists) in events sent to the filebeat TCP input listener - FILEBEAT_TCP_PARSE_DROP_FIELD : '' - # Tag to append to events sent to the filebeat TCP input listener - FILEBEAT_TCP_TAG : '_malcolm_beats' - -x-netbox-variables: &netbox-variables - # Parameters related to NetBox (and supporting tools). Note that other more specific parameters - # can also be configured in the env_file files for netbox* services - # The name of the default "site" to be created upon NetBox initialization, and to be queried - # for enrichment (see LOGSTASH_NETBOX_ENRICHMENT) - NETBOX_DEFAULT_SITE : 'Malcolm' - # Whether to disable Malcolm's NetBox instance ('true') or not ('false') - NETBOX_DISABLED : &netboxdisabled 'true' - NETBOX_POSTGRES_DISABLED : *netboxdisabled - NETBOX_REDIS_DISABLED : *netboxdisabled - NETBOX_REDIS_CACHE_DISABLED : *netboxdisabled - # Whether or not to periodically query network traffic metadata and use it to populate NetBox - NETBOX_CRON : 'false' - # If using the NetBox interface to create API tokens, set this - # (see https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins) - # CSRF_TRUSTED_ORIGINS : 'https://malcolm.example.org' - -x-common-upload-variables: &common-upload-variables - # Whether or not to automatically apply tags based (on the PCAP filename) to network traffic metadata - # parsed from uploaded PCAP files - AUTO_TAG : 'true' - # The node name (e.g., the hostname of this machine running Malcolm) to associate with - # network traffic metadata - PCAP_NODE_NAME : 'malcolm' - # Whether or not to enable debug output for processing uploaded/captured PCAP files - PCAP_PIPELINE_DEBUG : 'false' - # Whether or not to enable very verbose debug output for processing uploaded/captured PCAP files - PCAP_PIPELINE_DEBUG_EXTRA : 'false' - # Whether or not PCAP files extant in ./pcap/ will be ignored on startup - PCAP_PIPELINE_IGNORE_PREEXISTING : 'false' - # 'pcap-monitor' to match the name of the container providing the uploaded/captured PCAP file - # monitoring service - PCAP_MONITOR_HOST : 'pcap-monitor' - # The age (in minutes) at which already-processed log files containing network traffic metadata should - # be pruned from the filesystem - LOG_CLEANUP_MINUTES : 360 - # The age (in minutes) at which the compressed archives containing already-processed log files should - # be pruned from the filesystem - ZIP_CLEANUP_MINUTES : 720 - -x-common-lookup-variables: &common-lookup-variables - # Whether or not domain names (from DNS queries and SSL server names) will be assigned entropy scores - # as calculated by freq - FREQ_LOOKUP : 'true' - # When severity scoring is enabled, this variable indicates the entropy threshold for - # assigning severity to events with entropy scores calculated by freq; - # a lower value will only assign severity scores to fewer domain names with higher entropy - FREQ_SEVERITY_THRESHOLD : '2.0' - # When severity scoring is enabled, this variable indicates the size threshold (in megabytes) - # for assigning severity to large connections or file transfers - TOTAL_MEGABYTES_SEVERITY_THRESHOLD : 1000 - # When severity scoring is enabled, this variable indicates the duration threshold (in seconds) - # for assigning severity to long connections - CONNECTION_SECONDS_SEVERITY_THRESHOLD : 3600 - # When severity scoring is enabled, this variable defines a comma-separated list of - # sensitive countries (using ISO 3166-1 alpha-2 codes) - SENSITIVE_COUNTRY_CODES : 'AM,AZ,BY,CN,CU,DZ,GE,HK,IL,IN,IQ,IR,KG,KP,KZ,LY,MD,MO,PK,RU,SD,SS,SY,TJ,TM,TW,UA,UZ' - -x-common-beats-variables: &common-beats-variables - # Whether or not Logstash will use require encrypted communications for any external - # Beats-based forwarders from which it will accept logs - BEATS_SSL : 'true' - -x-pcap-capture-variables: &pcap-capture-variables - # Whether or not netsniff-ng should create PCAP files from live traffic on a local - # interface for analysis by Arkime capture (should be 'false' if PCAP_ENABLE_TCPDUMP - # is 'true') - PCAP_ENABLE_NETSNIFF : 'false' - # Whether or not tcpdump should create PCAP files from live traffic on a local - # interface for analysis by Arkime capture (should be 'false' if PCAP_ENABLE_NETSNIFF - # is 'true') - PCAP_ENABLE_TCPDUMP : 'false' - # Specifies local network interface(s) for local packet capture if PCAP_ENABLE_NETSNIFF, - # PCAP_ENABLE_TCPDUMP, ZEEK_LIVE_CAPTURE or SURICATA_LIVE_CAPTURE are 'true' - PCAP_IFACE : 'lo' - # Whether or not ethtool will disable NIC hardware offloading features and adjust - # ring buffer sizes for capture interface(s) (should be 'true' if the interface(s) are - # being used for capture only, 'false' if they are being used for management/communication) - PCAP_IFACE_TWEAK : 'false' - # Specifies how large a locally-captured PCAP file can become (in megabytes) before - # it is closed for processing and a new PCAP file created - PCAP_ROTATE_MEGABYTES : 4096 - # Specifies a time interval (in minutes) after which a locally-captured PCAP file - # will be closed for processing and a new PCAP file created - PCAP_ROTATE_MINUTES : 10 - # Specifies a tcpdump-style filter expression for local packet capture ('' to capture all traffic) - PCAP_FILTER : '' -################################################################################ - services: opensearch: - image: ghcr.io/idaholab/malcolm/opensearch:23.04.0 + image: ghcr.io/idaholab/malcolm/opensearch:23.05.0 restart: "no" stdin_open: false tty: true hostname: opensearch networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env environment: - <<: [*opensearch-variables, *ssl-variables, *process-variables] - logger.level : 'WARN' - bootstrap.memory_lock : 'true' - MAX_LOCKED_MEMORY : 'unlimited' - OPENSEARCH_JAVA_OPTS : '-server -Xms4g -Xmx4g -Xss256k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true' VIRTUAL_HOST : 'os.malcolm.local' - discovery.type : 'single-node' - cluster.routing.allocation.disk.threshold_enabled : 'false' - cluster.routing.allocation.node_initial_primaries_recoveries : 8 - indices.query.bool.max_clause_count : 4096 - path.repo : '/opt/opensearch/backup' ulimits: memlock: soft: -1 @@ -386,11 +25,11 @@ services: - IPC_LOCK volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./.opensearch.secondary.curlrc:/var/local/curlrc/.opensearch.secondary.curlrc:ro - ./opensearch:/usr/share/opensearch/data:delegated - ./opensearch-backup:/opt/opensearch/backup:delegated - - ./opensearch/opensearch.keystore:/usr/share/opensearch/config/opensearch.keystore:rw + - ./opensearch/opensearch.keystore:/usr/share/opensearch/config/persist/opensearch.keystore:rw healthcheck: test: ["CMD", "curl", "--silent", "--fail", "http://localhost:9200"] interval: 30s @@ -398,27 +37,26 @@ services: retries: 3 start_period: 180s dashboards-helper: - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.04.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.05.0 restart: "no" stdin_open: false tty: true hostname: dashboards-helper networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/dashboards-helper.env environment: - <<: [*dashboards-helper-variables, *opensearch-variables, *ssl-variables, *process-variables] - DASHBOARDS_URL : 'http://dashboards:5601/dashboards' VIRTUAL_HOST : 'dashboards-helper.malcolm.local' - ARKIME_INDEX_PATTERN : 'arkime_sessions3-*' - ARKIME_INDEX_PATTERN_ID : 'arkime_sessions3-*' - ARKIME_INDEX_TIME_FIELD : 'firstPacket' - CREATE_OS_ARKIME_SESSION_INDEX : 'true' depends_on: - opensearch volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./.opensearch.secondary.curlrc:/var/local/curlrc/.opensearch.secondary.curlrc:ro healthcheck: test: ["CMD", "supervisorctl", "status", "cron", "maps"] interval: 60s @@ -426,22 +64,25 @@ services: retries: 3 start_period: 30s dashboards: - image: ghcr.io/idaholab/malcolm/dashboards:23.04.0 + image: ghcr.io/idaholab/malcolm/dashboards:23.05.0 restart: "no" stdin_open: false tty: true hostname: dashboards networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env environment: - <<: [*opensearch-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'dashboards.malcolm.local' depends_on: - opensearch - dashboards-helper volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro healthcheck: test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5601/dashboards/api/status"] interval: 30s @@ -449,7 +90,7 @@ services: retries: 3 start_period: 210s logstash: - image: ghcr.io/idaholab/malcolm/logstash-oss:23.04.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:23.05.0 restart: "no" stdin_open: false tty: true @@ -462,23 +103,28 @@ services: hard: -1 cap_add: - IPC_LOCK - env_file: ./netbox/env/netbox.env - environment: - <<: [*common-lookup-variables, *common-beats-variables, *logstash-variables, *netbox-variables, *opensearch-variables, *ssl-variables, *process-variables] - LS_JAVA_OPTS : '-server -Xms2g -Xmx2g -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/netbox-common.env + - ./config/netbox.env + - ./config/netbox-secret.env + - ./config/beats-common.env + - ./config/lookup-common.env + - ./config/logstash.env depends_on: - opensearch ports: - "127.0.0.1:5044:5044" volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./.opensearch.secondary.curlrc:/var/local/curlrc/.opensearch.secondary.curlrc:ro - ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro - ./logstash/certs/ca.crt:/certs/ca.crt:ro - ./logstash/certs/server.crt:/certs/server.crt:ro - ./logstash/certs/server.key:/certs/server.key:ro - - ./net-map.json:/usr/share/logstash/config/net-map.json:ro healthcheck: test: ["CMD", "curl", "--silent", "--fail", "http://localhost:9600"] interval: 30s @@ -486,26 +132,28 @@ services: retries: 3 start_period: 600s filebeat: - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.04.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.05.0 restart: "no" stdin_open: false tty: true hostname: filebeat networks: - default - environment: - <<: [*common-beats-variables, *common-upload-variables, *filebeat-variables, *opensearch-variables, *nginx-variables, *ssl-variables, *process-variables] - FILEBEAT_ZEEK_LOG_PATH : '/zeek/current' - FILEBEAT_ZEEK_LOG_LIVE_PATH : '/zeek/live' - FILEBEAT_SURICATA_LOG_PATH : '/suricata' - FILEBEAT_NGINX_LOG_PATH : '/nginx' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/upload-common.env + - ./config/nginx.env + - ./config/beats-common.env + - ./config/filebeat.env depends_on: - logstash ports: - "127.0.0.1:5045:5045" volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro - nginx-log-path:/nginx:ro - ./zeek-logs:/zeek - ./suricata-logs:/suricata @@ -519,7 +167,7 @@ services: retries: 3 start_period: 60s arkime: - image: ghcr.io/idaholab/malcolm/arkime:23.04.0 + image: ghcr.io/idaholab/malcolm/arkime:23.05.0 restart: "no" stdin_open: false tty: true @@ -527,13 +175,15 @@ services: networks: - default env_file: - - ./auth.env + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/upload-common.env + - ./config/auth.env + - ./config/arkime.env + - ./config/arkime-secret.env environment: - <<: [*arkime-variables, *common-upload-variables, *opensearch-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'arkime.malcolm.local' - OPENSEARCH_MAX_SHARDS_PER_NODE : 2500 - VIEWER : 'on' - WISE : 'on' ulimits: memlock: soft: -1 @@ -542,7 +192,7 @@ services: - opensearch volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro - ./pcap:/data/pcap - ./arkime-logs:/opt/arkime/logs - ./arkime-raw:/opt/arkime/raw @@ -553,7 +203,7 @@ services: retries: 3 start_period: 210s zeek: - image: ghcr.io/idaholab/malcolm/zeek:23.04.0 + image: ghcr.io/idaholab/malcolm/zeek:23.05.0 restart: "no" stdin_open: false tty: true @@ -569,10 +219,13 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*zeek-offline-variables, *zeek-variables, *common-upload-variables, *ssl-variables, *process-variables] - ZEEK_PCAP_PROCESSOR : 'true' - ZEEK_CRON : 'false' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/upload-common.env + - ./config/zeek.env + - ./config/zeek-secret.env + - ./config/zeek-offline.env depends_on: - opensearch volumes: @@ -588,7 +241,7 @@ services: retries: 3 start_period: 60s zeek-live: - image: ghcr.io/idaholab/malcolm/zeek:23.04.0 + image: ghcr.io/idaholab/malcolm/zeek:23.05.0 restart: "no" stdin_open: false tty: true @@ -602,20 +255,21 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*pcap-capture-variables, *zeek-live-variables, *zeek-variables, *common-upload-variables, *ssl-variables, *process-variables] - ZEEK_PCAP_PROCESSOR : 'false' - ZEEK_CRON : 'true' - ZEEK_LOG_PATH : '/zeek/live' - ZEEK_INTEL_PATH : '/opt/zeek/share/zeek/site/intel' - EXTRACT_FILES_PATH : '/zeek/extract_files' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/upload-common.env + - ./config/pcap-capture.env + - ./config/zeek.env + - ./config/zeek-secret.env + - ./config/zeek-live.env volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./zeek-logs/live:/zeek/live - ./zeek-logs/extract_files:/zeek/extract_files - ./zeek/intel:/opt/zeek/share/zeek/site/intel suricata: - image: ghcr.io/idaholab/malcolm/suricata:23.04.0 + image: ghcr.io/idaholab/malcolm/suricata:23.05.0 restart: "no" stdin_open: false tty: true @@ -631,9 +285,12 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*suricata-offline-variables, *suricata-variables, *common-upload-variables, *ssl-variables, *process-variables] - SURICATA_PCAP_PROCESSOR : 'true' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/upload-common.env + - ./config/suricata.env + - ./config/suricata-offline.env depends_on: - logstash volumes: @@ -648,7 +305,7 @@ services: retries: 3 start_period: 120s suricata-live: - image: ghcr.io/idaholab/malcolm/suricata:23.04.0 + image: ghcr.io/idaholab/malcolm/suricata:23.05.0 restart: "no" stdin_open: false tty: true @@ -662,23 +319,31 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*pcap-capture-variables, *suricata-live-variables, *suricata-variables, *common-upload-variables, *ssl-variables, *process-variables] - SURICATA_PCAP_PROCESSOR : 'false' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/upload-common.env + - ./config/pcap-capture.env + - ./config/suricata.env + - ./config/suricata-live.env volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./suricata-logs:/var/log/suricata - ./suricata/rules:/opt/suricata/rules:ro file-monitor: - image: ghcr.io/idaholab/malcolm/file-monitor:23.04.0 + image: ghcr.io/idaholab/malcolm/file-monitor:23.05.0 restart: "no" stdin_open: false tty: true hostname: file-monitor networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/zeek.env + - ./config/zeek-secret.env environment: - <<: [*zeek-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'file-monitor.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro @@ -692,7 +357,7 @@ services: retries: 3 start_period: 60s pcap-capture: - image: ghcr.io/idaholab/malcolm/pcap-capture:23.04.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:23.05.0 restart: "no" stdin_open: false tty: true @@ -706,26 +371,31 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*pcap-capture-variables, *ssl-variables, *process-variables] + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/pcap-capture.env volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./pcap/upload:/pcap pcap-monitor: - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.04.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.05.0 restart: "no" stdin_open: false tty: true - hostname: pcapmon + hostname: pcap-monitor networks: - default - environment: - <<: [*common-upload-variables, *opensearch-variables, *ssl-variables, *process-variables] + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/upload-common.env depends_on: - opensearch volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro - ./zeek-logs:/zeek - ./pcap:/pcap healthcheck: @@ -735,7 +405,7 @@ services: retries: 3 start_period: 90s upload: - image: ghcr.io/idaholab/malcolm/file-upload:23.04.0 + image: ghcr.io/idaholab/malcolm/file-upload:23.05.0 restart: "no" stdin_open: false tty: true @@ -743,10 +413,11 @@ services: networks: - default env_file: - - ./auth.env + - ./config/process.env + - ./config/ssl.env + - ./config/auth.env + - ./config/upload.env environment: - <<: [*ssl-variables, *process-variables] - SITE_NAME : 'Capture File and Log Archive Upload' VIRTUAL_HOST : 'upload.malcolm.local' depends_on: - arkime @@ -762,21 +433,24 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:23.04.0 + image: ghcr.io/idaholab/malcolm/htadmin:23.05.0 restart: "no" stdin_open: false tty: true hostname: htadmin networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/auth-common.env environment: - <<: [*auth-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'htadmin.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw + - ./nginx/htpasswd:/var/www/htadmin/auth/htpasswd:rw healthcheck: test: ["CMD", "curl", "--silent", "--fail", "http://localhost"] interval: 60s @@ -784,15 +458,18 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:23.04.0 + image: ghcr.io/idaholab/malcolm/freq:23.05.0 restart: "no" stdin_open: false tty: true hostname: freq networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/lookup-common.env environment: - <<: [*common-lookup-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'freq.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro @@ -802,37 +479,21 @@ services: timeout: 15s retries: 3 start_period: 60s - name-map-ui: - image: ghcr.io/idaholab/malcolm/name-map-ui:23.04.0 - restart: "no" - stdin_open: false - tty: true - hostname: name-map-ui - networks: - - default - environment: - <<: [*ssl-variables, *process-variables] - VIRTUAL_HOST : 'name-map-ui.malcolm.local' - volumes: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./net-map.json:/var/www/html/maps/net-map.json:rw - healthcheck: - test: ["CMD", "curl", "--silent", "--fail", "http://localhost:8080/fpm-ping"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:23.04.0 + image: ghcr.io/idaholab/malcolm/netbox:23.05.0 restart: "no" stdin_open: false tty: true hostname: netbox networks: - default - env_file: ./netbox/env/netbox.env + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/netbox-common.env + - ./config/netbox.env + - ./config/netbox-secret.env environment: - <<: [*netbox-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'netbox.malcolm.local' depends_on: - netbox-postgres @@ -852,16 +513,19 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:23.04.0 + image: ghcr.io/idaholab/malcolm/postgresql:23.05.0 restart: "no" stdin_open: false tty: true hostname: netbox-postgres networks: - default - env_file: ./netbox/env/postgres.env + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/netbox-common.env + - ./config/netbox-postgres.env environment: - <<: [*netbox-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'netbox-postgres.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro @@ -873,16 +537,19 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:23.04.0 + image: ghcr.io/idaholab/malcolm/redis:23.05.0 restart: "no" stdin_open: false tty: true hostname: netbox-redis networks: - default - env_file: ./netbox/env/redis.env + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/netbox-common.env + - ./config/netbox-redis.env environment: - <<: [*netbox-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'netbox-redis.malcolm.local' command: - sh @@ -898,16 +565,19 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:23.04.0 + image: ghcr.io/idaholab/malcolm/redis:23.05.0 restart: "no" stdin_open: false tty: true hostname: netbox-redis-cache networks: - default - env_file: ./netbox/env/redis-cache.env + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/netbox-common.env + - ./config/netbox-redis-cache.env environment: - <<: [*netbox-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'netbox-redis-cache.malcolm.local' command: - sh @@ -922,7 +592,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:23.04.0 + image: ghcr.io/idaholab/malcolm/api:23.05.0 command: gunicorn --bind 0:5000 manage:app restart: "no" stdin_open: false @@ -930,47 +600,50 @@ services: hostname: api networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env environment: - <<: [*opensearch-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'api.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro healthcheck: - test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5000/ping"] + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5000/mapi/ping"] interval: 30s timeout: 15s retries: 3 start_period: 60s nginx-proxy: - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.04.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.05.0 restart: "no" stdin_open: false tty: true hostname: nginx-proxy networks: - default - environment: - <<: [*nginx-variables, *auth-variables, *ssl-variables, *process-variables] + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/auth-common.env + - ./config/nginx.env depends_on: - api - arkime - dashboards - file-monitor - htadmin - - name-map-ui - netbox - upload ports: - "0.0.0.0:443:443" - - "0.0.0.0:488:488" - - "127.0.0.1:5601:5601" - "127.0.0.1:9200:9200" volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - nginx-log-path:/var/log/nginx:rw - ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro - - ./nginx/htpasswd:/etc/nginx/.htpasswd:ro + - ./nginx/htpasswd:/etc/nginx/auth/htpasswd:ro - ./nginx/certs:/etc/nginx/certs:ro - ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro healthcheck: @@ -980,15 +653,15 @@ services: retries: 3 start_period: 120s labels: - traefik.enable: "false" - # traefik.http.routers.osmalcolm.rule: 'Host(`opensearch.malcolm.example.org`)' - # traefik.http.routers.osmalcolm.entrypoints: 'websecure' - # traefik.http.routers.osmalcolm.tls.certresolver: 'myresolver' + traefik.enable: 'false' + # traefik.http.routers.osmalcolm.rule: 'Host(``)' + # traefik.http.routers.osmalcolm.entrypoints: '' + # traefik.http.routers.osmalcolm.tls.certresolver: '' # traefik.http.routers.osmalcolm.service: 'osmalcolm' # traefik.http.services.osmalcolm.loadbalancer.server.port: '9200' - # traefik.http.routers.malcolm.rule: 'Host(`malcolm.example.org`)' - # traefik.http.routers.malcolm.entrypoints: 'websecure' - # traefik.http.routers.malcolm.tls.certresolver: 'myresolver' + # traefik.http.routers.malcolm.rule: 'Host(``)' + # traefik.http.routers.malcolm.entrypoints: '' + # traefik.http.routers.malcolm.tls.certresolver: '' # traefik.http.routers.malcolm.service: 'malcolm' # traefik.http.services.malcolm.loadbalancer.server.port: '443' @@ -998,4 +671,4 @@ volumes: networks: default: - external: false \ No newline at end of file + external: false diff --git a/docker-compose.yml b/docker-compose.yml index 600d418e8..e2a7bbed1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,385 +2,24 @@ version: '3.7' -################################################################################ -# Commonly tweaked configuration options -#------------------------------------------------------------------------------- -x-process-variables: &process-variables - # docker containers will run processes as unprivileged user with UID:GID - PUID : 1000 - PGID : 1000 - # for debugging container init via tini (https://github.com/krallin/tini) - TINI_VERBOSITY : 1 - -x-auth-variables: &auth-variables - # authentication method: encrypted HTTP basic authentication ('true') vs LDAP ('false') - NGINX_BASIC_AUTH : 'true' - # NGINX LDAP (NGINX_BASIC_AUTH=false) can support LDAP, LDAPS, or LDAP+StartTLS. - # For StartTLS, set NGINX_LDAP_TLS_STUNNEL=true to issue the StartTLS command - # and use stunnel to tunnel the connection. - NGINX_LDAP_TLS_STUNNEL : 'false' - # stunnel will require and verify certificates for StartTLS when one or more - # trusted CA certificate files are placed in the ./nginx/ca-trust directory. - # For additional security, hostname or IP address checking of the associated - # CA certificate(s) can be enabled by providing these values. - NGINX_LDAP_TLS_STUNNEL_CHECK_HOST : '' - NGINX_LDAP_TLS_STUNNEL_CHECK_IP : '' - NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL : 2 - -x-nginx-variables: &nginx-variables - # Whether or not nginx should use HTTPS. This is almost CERTAINLY what you want. - # The only case you may want to set this to false is if you're using another - # reverse proxy in front of Malcolm. Even if set to 'false', NGINX will still - # listen on port 443 (it just won't be encrypted). If you change this, you'll - # probably want to change "0.0.0.0:443:443" to something like - # "127.0.0.1:80:443" in the ports section for the nginx-proxy service. - NGINX_SSL : 'true' - # Whether or not to write nginx's access.log and error.log to OpenSearch - NGINX_LOG_ACCESS_AND_ERRORS : 'false' - -x-ssl-variables: &ssl-variables - # When possible, docker containers will automatically add trusted CA certificate files - # found in the ./nginx/ca-trust directory (which is bind mounted to /ca-trust). - PUSER_CA_TRUST : '/var/local/ca-trust' - -x-opensearch-variables: &opensearch-variables - # Used in various services to define the connection to the OpenSearch document store. - # Whether or not Malcolm will start and use its own local OpenSearch instance as its - # primary data store. Set to 'false' if you're connecting to another OpenSearch - # cluster, in which case the other environment variables in this section must also - # be set with the connection parameters. - OPENSEARCH_LOCAL : 'true' - # URL for connecting to OpenSearch instance. When using Malcolm's internal instance - # of OpenSearch (i.e., OPENSEARCH_LOCAL is 'true') this should be - # 'http://opensearch:9200', otherwise specify the primary remote instance URL - # in the format 'protocol://host:port'. - OPENSEARCH_URL : 'http://opensearch:9200' - # Used when OPENSEARCH_LOCAL is 'false', the cURL-formatted config file contains login - # credentials for the primary OpenSearch instance. It can be generated for you by the - # ./scripts/auth_setup script. The notable parameters expected from this file would be - # user (with a "user:password" value) and "insecure" (if the certificate verification - # setting below is 'false'). See cURL config file format at - # https://everything.curl.dev/cmdline/configfile. This file is bind mounted locally - # from .opensearch.primary.curlrc as /var/local/opensearch.primary.curlrc - OPENSEARCH_CREDS_CONFIG_FILE : '/var/local/opensearch.primary.curlrc' - # Whether or not connections to the primary remote OpenSearch instance require full - # TLS certificate validation for the connection (this may fail if using self-signed - # certificates). - OPENSEARCH_SSL_CERTIFICATE_VERIFICATION : 'false' - # Whether or not Malcolm's Logstash instance will forward logs to a secondary remote - # OpenSearch instance in addition to the (local or remote) primary instance. - OPENSEARCH_SECONDARY : 'false' - # URL for connecting to the secondary remote OpenSearch instance, specified - # in the format 'protocol://host:port'. - OPENSEARCH_SECONDARY_URL : '' - # Used when OPENSEARCH_SECONDARY is 'true', the cURL-formatted config file contains login - # credentials for the secondary OpenSearch instance. The comments describing - # OPENSEARCH_CREDS_CONFIG_FILE above also apply here. This file is bind mounted locally - # from .opensearch.secondary.curlrc as /var/local/opensearch.secondary.curlrc - OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE : '/var/local/opensearch.secondary.curlrc' - # Whether or not connections to the secondary remote OpenSearch instance require full - # TLS certificate validation for the connection (this may fail if using self-signed - # certificates). - OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION : 'false' - -x-arkime-variables: &arkime-variables - # Whether or not Arkime is allowed to delete uploaded/captured PCAP (see - # https://arkime.com/faq#pcap-deletion) - MANAGE_PCAP_FILES : 'false' - # The number of Arkime capture processes allowed to run concurrently - ARKIME_ANALYZE_PCAP_THREADS : 1 - # MaxMind GeoIP database update API key (see - # https://support.maxmind.com/hc/en-us/articles/4407116112539-Using-License-Keys) - MAXMIND_GEOIP_DB_LICENSE_KEY : '0' - -x-zeek-live-variables: &zeek-live-variables - # Whether or not Zeek should monitor live traffic on a local - # interface (PCAP_IFACE variable below specifies capture interfaces) - ZEEK_LIVE_CAPTURE : 'false' - -x-zeek-offline-variables: &zeek-offline-variables - # Whether or not Zeek should analyze uploaded PCAP files - ZEEK_AUTO_ANALYZE_PCAP_FILES : 'true' - # The number of Zeek processes for analyzing uploaded PCAP files allowed - # to run concurrently - ZEEK_AUTO_ANALYZE_PCAP_THREADS : 1 - # Whether or not Zeek should analyze captured PCAP files captured - # by netsniff-ng/tcpdump (see PCAP_ENABLE_NETSNIFF and PCAP_ENABLE_TCPDUMP - # below). If ZEEK_LIVE_CAPTURE is true, this should be false: otherwise - # Zeek will see duplicate traffic. - ZEEK_ROTATED_PCAP : 'true' - -x-zeek-variables: &zeek-variables - # Specifies the value for Zeek's Intel::item_expiration timeout (-1min to disable) - ZEEK_INTEL_ITEM_EXPIRATION : '-1min' - # When querying a TAXII or MISP feed, only process threat indicators that have - # been created or modified since the time represented by this value; - # it may be either a fixed date/time (01/01/2021) or relative interval (30 days ago) - ZEEK_INTEL_FEED_SINCE : '' - # Specifies a cron expression indicating the refresh interval for generating the - # Zeek Intelligence Framework files ('' disables automatic refresh) - ZEEK_INTEL_REFRESH_CRON_EXPRESSION : '' - # Determines the file extraction behavior for file transfers detected by Zeek - ZEEK_EXTRACTOR_MODE : 'none' - # Whether or not files extant in ./zeek-logs/extract_files/ will be ignored on startup - EXTRACTED_FILE_IGNORE_EXISTING : 'false' - # Determines the behavior for preservation of Zeek-extracted files - EXTRACTED_FILE_PRESERVATION : 'quarantined' - # The minimum size (in bytes) for files to be extracted by Zeek - EXTRACTED_FILE_MIN_BYTES : 64 - # The maximum size (in bytes) for files to be extracted by Zeek - EXTRACTED_FILE_MAX_BYTES : 134217728 - # A VirusTotal Public API v.20 used to submit hashes of Zeek-extracted files - VTOT_API2_KEY : '0' - # Rate limiting for VirusTotal, ClamAV, YARA and capa with Zeek-extracted files - VTOT_REQUESTS_PER_MINUTE : 4 - CLAMD_MAX_REQUESTS : 8 - YARA_MAX_REQUESTS : 8 - CAPA_MAX_REQUESTS : 4 - # Whether or not YARA will scan Zeek-extracted files - EXTRACTED_FILE_ENABLE_YARA : 'false' - # Whether or not the default YARA ruleset will be ignored and only custom rules used - EXTRACTED_FILE_YARA_CUSTOM_ONLY : 'false' - # Whether or not capa will scan Zeek-extracted executables - EXTRACTED_FILE_ENABLE_CAPA : 'false' - # Whether or not capa will be extra verbose - EXTRACTED_FILE_CAPA_VERBOSE : 'false' - # Whether or not ClamAV will scan Zeek-extracted executables - EXTRACTED_FILE_ENABLE_CLAMAV : 'false' - # Whether or not to regularly update rule definitions for file scanning engines - EXTRACTED_FILE_UPDATE_RULES : 'false' - # Whether or not to enable debug output for Zeek-extracted file scanning - EXTRACTED_FILE_PIPELINE_DEBUG : 'false' - # Whether or not to enable very verbose debug output for Zeek-extracted file scanning - EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA : 'false' - # Whether or not to serve the directory containing Zeek-extracted over HTTP at ./extracted-files/ - EXTRACTED_FILE_HTTP_SERVER_ENABLE : 'false' - # Whether or not Zeek-extracted files served over HTTP will be AES-256-CBC-encrypted - EXTRACTED_FILE_HTTP_SERVER_ENCRYPT : 'true' - # Specifies the AES-256-CBC decryption password for encrypted Zeek-extracted files served over HTTP - EXTRACTED_FILE_HTTP_SERVER_KEY : 'quarantined' - # Environment variables for tweaking Zeek at runtime (see local.zeek) - # Set to any non-blank value to disable the corresponding feature - ZEEK_DISABLE_HASH_ALL_FILES : '' - ZEEK_DISABLE_LOG_PASSWORDS : '' - ZEEK_DISABLE_SSL_VALIDATE_CERTS : '' - ZEEK_DISABLE_TRACK_ALL_ASSETS : '' - ZEEK_DISABLE_BEST_GUESS_ICS : 'true' - ZEEK_DISABLE_SPICY_DHCP : 'true' - ZEEK_DISABLE_SPICY_DNS : 'true' - ZEEK_DISABLE_SPICY_HTTP : 'true' - ZEEK_DISABLE_SPICY_IPSEC : '' - ZEEK_DISABLE_SPICY_LDAP : '' - ZEEK_DISABLE_SPICY_OPENVPN : '' - ZEEK_DISABLE_SPICY_STUN : '' - ZEEK_DISABLE_SPICY_TAILSCALE : '' - ZEEK_DISABLE_SPICY_TFTP : '' - ZEEK_DISABLE_SPICY_WIREGUARD : '' - -x-suricata-live-variables: &suricata-live-variables - # Whether or not Suricata should monitor live traffic on a local - # interface (PCAP_IFACE variable below specifies capture interfaces) - SURICATA_LIVE_CAPTURE : 'false' - # Specifies the Suricata runmode for live capture (see - # https://suricata.readthedocs.io/en/latest/performance/runmodes.html) - SURICATA_RUNMODE : 'workers' - -x-suricata-offline-variables: &suricata-offline-variables - # Whether or not Suricata should analyze uploaded PCAP files - SURICATA_AUTO_ANALYZE_PCAP_FILES: 'true' - # The number of Suricata processes for analyzing uploaded PCAP files allowed - # to run concurrently - SURICATA_AUTO_ANALYZE_PCAP_THREADS : 1 - # Whether or not Suricata should analyze captured PCAP files captured - # by netsniff-ng/tcpdump (see PCAP_ENABLE_NETSNIFF and PCAP_ENABLE_TCPDUMP - # below). If SURICATA_LIVE_CAPTURE is true, this should be false: otherwise - # Suricata will see duplicate traffic. - SURICATA_ROTATED_PCAP : 'true' - -x-suricata-variables: &suricata-variables - # Whether or not the default Suricata ruleset will be ignored and only custom rules used - SURICATA_CUSTOM_RULES_ONLY : 'false' - SURICATA_UPDATE_RULES: 'false' - SURICATA_UPDATE_DEBUG: 'false' - SURICATA_UPDATE_ETOPEN: 'true' - # suricata_config_populate.py can use MANY more environment variables to tweak - # suricata.yaml (see https://github.com/OISF/suricata/blob/master/suricata.yaml.in and - # https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html). - # DEFAULT_VARS in that script defines those variables (albeit without the - # required `SURICATA_` prefixing each) - -x-dashboards-helper-variables: &dashboards-helper-variables - # Whether or not to set OpenSearch Dashboards to dark mode - DASHBOARDS_DARKMODE : 'true' - # The maximum cumulative size of OpenSearch indices containing network traffic metadata - # (arkime_sessions3-*) before which the oldest indices will be deleted ('' to disable - # storage-based index pruning). - OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT : '0' - # Whether to determine the "oldest" indices for storage-based index pruning by creation - # date/time ('true') or index name ('false') - OPENSEARCH_INDEX_SIZE_PRUNE_NAME_SORT : 'false' - # Parameters for the OpenSearch repository used for index snapshots - ISM_SNAPSHOT_COMPRESSED : 'false' - ISM_SNAPSHOT_REPO : 'logs' - -x-logstash-variables: &logstash-variables - # Parameters for tuning Logstash pipelines (see - # https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html) - pipeline.workers : 3 - pipeline.batch.size : 75 - pipeline.batch.delay : 50 - # Whether or not Logstash will map MAC addresses to vendors for MAC addresses - LOGSTASH_OUI_LOOKUP : 'true' - # Whether or not Logstash will perform severity scoring on network traffic metadata - LOGSTASH_SEVERITY_SCORING : 'true' - # Whether or not Logstash will perform a reverse DNS lookup for external IP addresses - LOGSTASH_REVERSE_DNS : 'false' - # Whether or not Logstash will enrich network traffic metadata directly from net-map.json - LOGSTASH_NETWORK_MAP_ENRICHMENT : 'true' - # Whether or not Logstash will enrich network traffic metadata via NetBox API calls - LOGSTASH_NETBOX_ENRICHMENT : 'false' - -x-filebeat-variables: &filebeat-variables - # filebeat parameters used for monitoring log files containing network traffic metadata - # (see https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html) - FILEBEAT_SCAN_FREQUENCY : '10s' - FILEBEAT_CLEAN_INACTIVE : '180m' - FILEBEAT_IGNORE_OLDER : '120m' - FILEBEAT_CLOSE_INACTIVE : '120s' - FILEBEAT_CLOSE_INACTIVE_LIVE : '90m' - FILEBEAT_CLOSE_RENAMED : 'true' - FILEBEAT_CLOSE_REMOVED : 'true' - FILEBEAT_CLOSE_EOF : 'true' - FILEBEAT_CLEAN_REMOVED : 'true' - # Whether or not to expose a filebeat TCP input listener (see - # https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) - FILEBEAT_TCP_LISTEN : 'false' - # Log format expected for events sent to the filebeat TCP input listener ('json' or 'raw') - FILEBEAT_TCP_LOG_FORMAT : 'raw' - # Source field name to parse (when FILEBEAT_TCP_LOG_FORMAT is 'json') for events sent to the - # filebeat TCP input listener - FILEBEAT_TCP_PARSE_SOURCE_FIELD : 'message' - # Target field name to store decoded JSON fields (when FILEBEAT_TCP_LOG_FORMAT is 'json') for - # events sent to the filebeat TCP input listener - FILEBEAT_TCP_PARSE_TARGET_FIELD : '' - # Name of field to drop (if it exists) in events sent to the filebeat TCP input listener - FILEBEAT_TCP_PARSE_DROP_FIELD : '' - # Tag to append to events sent to the filebeat TCP input listener - FILEBEAT_TCP_TAG : '_malcolm_beats' - -x-netbox-variables: &netbox-variables - # Parameters related to NetBox (and supporting tools). Note that other more specific parameters - # can also be configured in the env_file files for netbox* services - # The name of the default "site" to be created upon NetBox initialization, and to be queried - # for enrichment (see LOGSTASH_NETBOX_ENRICHMENT) - NETBOX_DEFAULT_SITE : 'Malcolm' - # Whether to disable Malcolm's NetBox instance ('true') or not ('false') - NETBOX_DISABLED : &netboxdisabled 'true' - NETBOX_POSTGRES_DISABLED : *netboxdisabled - NETBOX_REDIS_DISABLED : *netboxdisabled - NETBOX_REDIS_CACHE_DISABLED : *netboxdisabled - # Whether or not to periodically query network traffic metadata and use it to populate NetBox - NETBOX_CRON : 'false' - # If using the NetBox interface to create API tokens, set this - # (see https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins) - # CSRF_TRUSTED_ORIGINS : 'https://malcolm.example.org' - -x-common-upload-variables: &common-upload-variables - # Whether or not to automatically apply tags based (on the PCAP filename) to network traffic metadata - # parsed from uploaded PCAP files - AUTO_TAG : 'true' - # The node name (e.g., the hostname of this machine running Malcolm) to associate with - # network traffic metadata - PCAP_NODE_NAME : 'malcolm' - # Whether or not to enable debug output for processing uploaded/captured PCAP files - PCAP_PIPELINE_DEBUG : 'false' - # Whether or not to enable very verbose debug output for processing uploaded/captured PCAP files - PCAP_PIPELINE_DEBUG_EXTRA : 'false' - # Whether or not PCAP files extant in ./pcap/ will be ignored on startup - PCAP_PIPELINE_IGNORE_PREEXISTING : 'false' - # 'pcap-monitor' to match the name of the container providing the uploaded/captured PCAP file - # monitoring service - PCAP_MONITOR_HOST : 'pcap-monitor' - # The age (in minutes) at which already-processed log files containing network traffic metadata should - # be pruned from the filesystem - LOG_CLEANUP_MINUTES : 360 - # The age (in minutes) at which the compressed archives containing already-processed log files should - # be pruned from the filesystem - ZIP_CLEANUP_MINUTES : 720 - -x-common-lookup-variables: &common-lookup-variables - # Whether or not domain names (from DNS queries and SSL server names) will be assigned entropy scores - # as calculated by freq - FREQ_LOOKUP : 'true' - # When severity scoring is enabled, this variable indicates the entropy threshold for - # assigning severity to events with entropy scores calculated by freq; - # a lower value will only assign severity scores to fewer domain names with higher entropy - FREQ_SEVERITY_THRESHOLD : '2.0' - # When severity scoring is enabled, this variable indicates the size threshold (in megabytes) - # for assigning severity to large connections or file transfers - TOTAL_MEGABYTES_SEVERITY_THRESHOLD : 1000 - # When severity scoring is enabled, this variable indicates the duration threshold (in seconds) - # for assigning severity to long connections - CONNECTION_SECONDS_SEVERITY_THRESHOLD : 3600 - # When severity scoring is enabled, this variable defines a comma-separated list of - # sensitive countries (using ISO 3166-1 alpha-2 codes) - SENSITIVE_COUNTRY_CODES : 'AM,AZ,BY,CN,CU,DZ,GE,HK,IL,IN,IQ,IR,KG,KP,KZ,LY,MD,MO,PK,RU,SD,SS,SY,TJ,TM,TW,UA,UZ' - -x-common-beats-variables: &common-beats-variables - # Whether or not Logstash will use require encrypted communications for any external - # Beats-based forwarders from which it will accept logs - BEATS_SSL : 'true' - -x-pcap-capture-variables: &pcap-capture-variables - # Whether or not netsniff-ng should create PCAP files from live traffic on a local - # interface for analysis by Arkime capture (should be 'false' if PCAP_ENABLE_TCPDUMP - # is 'true') - PCAP_ENABLE_NETSNIFF : 'false' - # Whether or not tcpdump should create PCAP files from live traffic on a local - # interface for analysis by Arkime capture (should be 'false' if PCAP_ENABLE_NETSNIFF - # is 'true') - PCAP_ENABLE_TCPDUMP : 'false' - # Specifies local network interface(s) for local packet capture if PCAP_ENABLE_NETSNIFF, - # PCAP_ENABLE_TCPDUMP, ZEEK_LIVE_CAPTURE or SURICATA_LIVE_CAPTURE are 'true' - PCAP_IFACE : 'lo' - # Whether or not ethtool will disable NIC hardware offloading features and adjust - # ring buffer sizes for capture interface(s) (should be 'true' if the interface(s) are - # being used for capture only, 'false' if they are being used for management/communication) - PCAP_IFACE_TWEAK : 'false' - # Specifies how large a locally-captured PCAP file can become (in megabytes) before - # it is closed for processing and a new PCAP file created - PCAP_ROTATE_MEGABYTES : 4096 - # Specifies a time interval (in minutes) after which a locally-captured PCAP file - # will be closed for processing and a new PCAP file created - PCAP_ROTATE_MINUTES : 10 - # Specifies a tcpdump-style filter expression for local packet capture ('' to capture all traffic) - PCAP_FILTER : '' -################################################################################ - services: opensearch: build: context: . dockerfile: Dockerfiles/opensearch.Dockerfile - image: ghcr.io/idaholab/malcolm/opensearch:23.04.0 + image: ghcr.io/idaholab/malcolm/opensearch:23.05.0 restart: "no" stdin_open: false tty: true hostname: opensearch networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env environment: - <<: [*opensearch-variables, *ssl-variables, *process-variables] - logger.level : 'INFO' - bootstrap.memory_lock : 'true' - MAX_LOCKED_MEMORY : 'unlimited' - OPENSEARCH_JAVA_OPTS : '-server -Xms4g -Xmx4g -Xss256k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true' VIRTUAL_HOST : 'os.malcolm.local' - discovery.type : 'single-node' - cluster.routing.allocation.disk.threshold_enabled : 'false' - cluster.routing.allocation.node_initial_primaries_recoveries : 8 - indices.query.bool.max_clause_count : 4096 - path.repo : '/opt/opensearch/backup' ulimits: memlock: soft: -1 @@ -389,11 +28,11 @@ services: - IPC_LOCK volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./.opensearch.secondary.curlrc:/var/local/curlrc/.opensearch.secondary.curlrc:ro - ./opensearch:/usr/share/opensearch/data:delegated - ./opensearch-backup:/opt/opensearch/backup:delegated - - ./opensearch/opensearch.keystore:/usr/share/opensearch/config/opensearch.keystore:rw + - ./opensearch/opensearch.keystore:/usr/share/opensearch/config/persist/opensearch.keystore:rw healthcheck: test: ["CMD", "curl", "--silent", "--fail", "http://localhost:9200"] interval: 30s @@ -404,27 +43,26 @@ services: build: context: . dockerfile: Dockerfiles/dashboards-helper.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.04.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.05.0 restart: "no" stdin_open: false tty: true hostname: dashboards-helper networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/dashboards-helper.env environment: - <<: [*dashboards-helper-variables, *opensearch-variables, *ssl-variables, *process-variables] - DASHBOARDS_URL : 'http://dashboards:5601/dashboards' VIRTUAL_HOST : 'dashboards-helper.malcolm.local' - ARKIME_INDEX_PATTERN : 'arkime_sessions3-*' - ARKIME_INDEX_PATTERN_ID : 'arkime_sessions3-*' - ARKIME_INDEX_TIME_FIELD : 'firstPacket' - CREATE_OS_ARKIME_SESSION_INDEX : 'true' depends_on: - opensearch volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./.opensearch.secondary.curlrc:/var/local/curlrc/.opensearch.secondary.curlrc:ro healthcheck: test: ["CMD", "supervisorctl", "status", "cron", "maps"] interval: 60s @@ -435,22 +73,25 @@ services: build: context: . dockerfile: Dockerfiles/dashboards.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards:23.04.0 + image: ghcr.io/idaholab/malcolm/dashboards:23.05.0 restart: "no" stdin_open: false tty: true hostname: dashboards networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env environment: - <<: [*opensearch-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'dashboards.malcolm.local' depends_on: - opensearch - dashboards-helper volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro healthcheck: test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5601/dashboards/api/status"] interval: 30s @@ -461,7 +102,7 @@ services: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: ghcr.io/idaholab/malcolm/logstash-oss:23.04.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:23.05.0 restart: "no" stdin_open: false tty: true @@ -474,18 +115,24 @@ services: hard: -1 cap_add: - IPC_LOCK - env_file: ./netbox/env/netbox.env - environment: - <<: [*common-lookup-variables, *common-beats-variables, *logstash-variables, *netbox-variables, *opensearch-variables, *ssl-variables, *process-variables] - LS_JAVA_OPTS : '-server -Xms2g -Xmx2g -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/netbox-common.env + - ./config/netbox.env + - ./config/netbox-secret.env + - ./config/beats-common.env + - ./config/lookup-common.env + - ./config/logstash.env depends_on: - opensearch ports: - "127.0.0.1:5044:5044" volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./.opensearch.secondary.curlrc:/var/local/curlrc/.opensearch.secondary.curlrc:ro - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.orig.yml:ro - ./logstash/pipelines:/usr/share/logstash/malcolm-pipelines.available:ro - ./logstash/patterns:/usr/share/logstash/malcolm-patterns:ro @@ -494,7 +141,6 @@ services: - ./logstash/certs/ca.crt:/certs/ca.crt:ro - ./logstash/certs/server.crt:/certs/server.crt:ro - ./logstash/certs/server.key:/certs/server.key:ro - - ./net-map.json:/usr/share/logstash/config/net-map.json:ro healthcheck: test: ["CMD", "curl", "--silent", "--fail", "http://localhost:9600"] interval: 30s @@ -505,26 +151,28 @@ services: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.04.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.05.0 restart: "no" stdin_open: false tty: true hostname: filebeat networks: - default - environment: - <<: [*common-beats-variables, *common-upload-variables, *filebeat-variables, *opensearch-variables, *nginx-variables, *ssl-variables, *process-variables] - FILEBEAT_ZEEK_LOG_PATH : '/zeek/current' - FILEBEAT_ZEEK_LOG_LIVE_PATH : '/zeek/live' - FILEBEAT_SURICATA_LOG_PATH : '/suricata' - FILEBEAT_NGINX_LOG_PATH : '/nginx' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/upload-common.env + - ./config/nginx.env + - ./config/beats-common.env + - ./config/filebeat.env depends_on: - logstash ports: - "127.0.0.1:5045:5045" volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro - nginx-log-path:/nginx:ro - ./zeek-logs:/zeek - ./suricata-logs:/suricata @@ -541,7 +189,7 @@ services: build: context: . dockerfile: Dockerfiles/arkime.Dockerfile - image: ghcr.io/idaholab/malcolm/arkime:23.04.0 + image: ghcr.io/idaholab/malcolm/arkime:23.05.0 restart: "no" stdin_open: false tty: true @@ -549,13 +197,15 @@ services: networks: - default env_file: - - ./auth.env + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/upload-common.env + - ./config/auth.env + - ./config/arkime.env + - ./config/arkime-secret.env environment: - <<: [*arkime-variables, *common-upload-variables, *opensearch-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'arkime.malcolm.local' - OPENSEARCH_MAX_SHARDS_PER_NODE : 2500 - VIEWER : 'on' - WISE : 'on' ulimits: memlock: soft: -1 @@ -564,7 +214,7 @@ services: - opensearch volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro - ./pcap:/data/pcap - ./arkime-logs:/opt/arkime/logs - ./arkime-raw:/opt/arkime/raw @@ -581,7 +231,7 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:23.04.0 + image: ghcr.io/idaholab/malcolm/zeek:23.05.0 restart: "no" stdin_open: false tty: true @@ -597,10 +247,13 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*zeek-offline-variables, *zeek-variables, *common-upload-variables, *ssl-variables, *process-variables] - ZEEK_PCAP_PROCESSOR : 'true' - ZEEK_CRON : 'false' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/upload-common.env + - ./config/zeek.env + - ./config/zeek-secret.env + - ./config/zeek-offline.env depends_on: - opensearch volumes: @@ -620,7 +273,7 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:23.04.0 + image: ghcr.io/idaholab/malcolm/zeek:23.05.0 restart: "no" stdin_open: false tty: true @@ -634,13 +287,14 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*pcap-capture-variables, *zeek-live-variables, *zeek-variables, *common-upload-variables, *ssl-variables, *process-variables] - ZEEK_PCAP_PROCESSOR : 'false' - ZEEK_CRON : 'true' - ZEEK_LOG_PATH : '/zeek/live' - ZEEK_INTEL_PATH : '/opt/zeek/share/zeek/site/intel' - EXTRACT_FILES_PATH : '/zeek/extract_files' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/upload-common.env + - ./config/pcap-capture.env + - ./config/zeek.env + - ./config/zeek-secret.env + - ./config/zeek-live.env volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./zeek-logs/live:/zeek/live @@ -651,7 +305,7 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:23.04.0 + image: ghcr.io/idaholab/malcolm/suricata:23.05.0 restart: "no" stdin_open: false tty: true @@ -667,9 +321,12 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*suricata-offline-variables, *suricata-variables, *common-upload-variables, *ssl-variables, *process-variables] - SURICATA_PCAP_PROCESSOR : 'true' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/upload-common.env + - ./config/suricata.env + - ./config/suricata-offline.env depends_on: - logstash volumes: @@ -687,7 +344,7 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:23.04.0 + image: ghcr.io/idaholab/malcolm/suricata:23.05.0 restart: "no" stdin_open: false tty: true @@ -701,9 +358,13 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*pcap-capture-variables, *suricata-live-variables, *suricata-variables, *common-upload-variables, *ssl-variables, *process-variables] - SURICATA_PCAP_PROCESSOR : 'false' + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/upload-common.env + - ./config/pcap-capture.env + - ./config/suricata.env + - ./config/suricata-live.env volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./suricata-logs:/var/log/suricata @@ -712,15 +373,19 @@ services: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/file-monitor:23.04.0 + image: ghcr.io/idaholab/malcolm/file-monitor:23.05.0 restart: "no" stdin_open: false tty: true hostname: file-monitor networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/zeek.env + - ./config/zeek-secret.env environment: - <<: [*zeek-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'file-monitor.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro @@ -737,7 +402,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-capture:23.04.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:23.05.0 restart: "no" stdin_open: false tty: true @@ -751,8 +416,10 @@ services: - NET_ADMIN - NET_RAW - SYS_ADMIN - environment: - <<: [*pcap-capture-variables, *ssl-variables, *process-variables] + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/pcap-capture.env volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./pcap/upload:/pcap @@ -760,20 +427,23 @@ services: build: context: . dockerfile: Dockerfiles/pcap-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.04.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.05.0 restart: "no" stdin_open: false tty: true - hostname: pcapmon + hostname: pcap-monitor networks: - default - environment: - <<: [*common-upload-variables, *opensearch-variables, *ssl-variables, *process-variables] + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/upload-common.env depends_on: - opensearch volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro - ./zeek-logs:/zeek - ./pcap:/pcap healthcheck: @@ -786,7 +456,7 @@ services: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: ghcr.io/idaholab/malcolm/file-upload:23.04.0 + image: ghcr.io/idaholab/malcolm/file-upload:23.05.0 restart: "no" stdin_open: false tty: true @@ -794,10 +464,11 @@ services: networks: - default env_file: - - ./auth.env + - ./config/process.env + - ./config/ssl.env + - ./config/auth.env + - ./config/upload.env environment: - <<: [*ssl-variables, *process-variables] - SITE_NAME : 'Capture File and Log Archive Upload' VIRTUAL_HOST : 'upload.malcolm.local' depends_on: - arkime @@ -813,7 +484,7 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:23.04.0 + image: ghcr.io/idaholab/malcolm/htadmin:23.05.0 build: context: . dockerfile: Dockerfiles/htadmin.Dockerfile @@ -823,14 +494,17 @@ services: hostname: htadmin networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/auth-common.env environment: - <<: [*auth-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'htadmin.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw + - ./nginx/htpasswd:/var/www/htadmin/auth/htpasswd:rw healthcheck: test: ["CMD", "curl", "--silent", "--fail", "http://localhost"] interval: 60s @@ -838,7 +512,7 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:23.04.0 + image: ghcr.io/idaholab/malcolm/freq:23.05.0 build: context: . dockerfile: Dockerfiles/freq.Dockerfile @@ -848,8 +522,11 @@ services: hostname: freq networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/lookup-common.env environment: - <<: [*common-lookup-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'freq.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro @@ -859,31 +536,8 @@ services: timeout: 15s retries: 3 start_period: 60s - name-map-ui: - image: ghcr.io/idaholab/malcolm/name-map-ui:23.04.0 - build: - context: . - dockerfile: Dockerfiles/name-map-ui.Dockerfile - restart: "no" - stdin_open: false - tty: true - hostname: name-map-ui - networks: - - default - environment: - <<: [*ssl-variables, *process-variables] - VIRTUAL_HOST : 'name-map-ui.malcolm.local' - volumes: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./net-map.json:/var/www/html/maps/net-map.json:rw - healthcheck: - test: ["CMD", "curl", "--silent", "--fail", "http://localhost:8080/fpm-ping"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:23.04.0 + image: ghcr.io/idaholab/malcolm/netbox:23.05.0 build: context: . dockerfile: Dockerfiles/netbox.Dockerfile @@ -893,9 +547,13 @@ services: hostname: netbox networks: - default - env_file: ./netbox/env/netbox.env + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/netbox-common.env + - ./config/netbox.env + - ./config/netbox-secret.env environment: - <<: [*netbox-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'netbox.malcolm.local' depends_on: - netbox-postgres @@ -916,7 +574,7 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:23.04.0 + image: ghcr.io/idaholab/malcolm/postgresql:23.05.0 build: context: . dockerfile: Dockerfiles/postgresql.Dockerfile @@ -926,9 +584,12 @@ services: hostname: netbox-postgres networks: - default - env_file: ./netbox/env/postgres.env + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/netbox-common.env + - ./config/netbox-postgres.env environment: - <<: [*netbox-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'netbox-postgres.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro @@ -940,7 +601,7 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:23.04.0 + image: ghcr.io/idaholab/malcolm/redis:23.05.0 build: context: . dockerfile: Dockerfiles/redis.Dockerfile @@ -950,9 +611,12 @@ services: hostname: netbox-redis networks: - default - env_file: ./netbox/env/redis.env + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/netbox-common.env + - ./config/netbox-redis.env environment: - <<: [*netbox-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'netbox-redis.malcolm.local' command: - sh @@ -968,7 +632,7 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:23.04.0 + image: ghcr.io/idaholab/malcolm/redis:23.05.0 build: context: . dockerfile: Dockerfiles/redis.Dockerfile @@ -978,9 +642,12 @@ services: hostname: netbox-redis-cache networks: - default - env_file: ./netbox/env/redis-cache.env + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/netbox-common.env + - ./config/netbox-redis-cache.env environment: - <<: [*netbox-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'netbox-redis-cache.malcolm.local' command: - sh @@ -995,7 +662,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:23.04.0 + image: ghcr.io/idaholab/malcolm/api:23.05.0 build: context: . dockerfile: Dockerfiles/api.Dockerfile @@ -1006,14 +673,17 @@ services: hostname: api networks: - default + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env environment: - <<: [*opensearch-variables, *ssl-variables, *process-variables] VIRTUAL_HOST : 'api.malcolm.local' volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro healthcheck: - test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5000/ping"] + test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5000/mapi/ping"] interval: 30s timeout: 15s retries: 3 @@ -1022,34 +692,34 @@ services: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.04.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.05.0 restart: "no" stdin_open: false tty: true hostname: nginx-proxy networks: - default - environment: - <<: [*nginx-variables, *auth-variables, *ssl-variables, *process-variables] + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/auth-common.env + - ./config/nginx.env depends_on: - api - arkime - dashboards - file-monitor - htadmin - - name-map-ui - netbox - upload ports: - "0.0.0.0:443:443" - - "0.0.0.0:488:488" - - "127.0.0.1:5601:5601" - "127.0.0.1:9200:9200" volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - nginx-log-path:/var/log/nginx:rw - ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro - - ./nginx/htpasswd:/etc/nginx/.htpasswd:ro + - ./nginx/htpasswd:/etc/nginx/auth/htpasswd:ro - ./nginx/certs:/etc/nginx/certs:ro - ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro healthcheck: @@ -1059,15 +729,15 @@ services: retries: 3 start_period: 120s labels: - traefik.enable: "false" - # traefik.http.routers.osmalcolm.rule: 'Host(`opensearch.malcolm.example.org`)' - # traefik.http.routers.osmalcolm.entrypoints: 'websecure' - # traefik.http.routers.osmalcolm.tls.certresolver: 'myresolver' + traefik.enable: 'false' + # traefik.http.routers.osmalcolm.rule: 'Host(``)' + # traefik.http.routers.osmalcolm.entrypoints: '' + # traefik.http.routers.osmalcolm.tls.certresolver: '' # traefik.http.routers.osmalcolm.service: 'osmalcolm' # traefik.http.services.osmalcolm.loadbalancer.server.port: '9200' - # traefik.http.routers.malcolm.rule: 'Host(`malcolm.example.org`)' - # traefik.http.routers.malcolm.entrypoints: 'websecure' - # traefik.http.routers.malcolm.tls.certresolver: 'myresolver' + # traefik.http.routers.malcolm.rule: 'Host(``)' + # traefik.http.routers.malcolm.entrypoints: '' + # traefik.http.routers.malcolm.tls.certresolver: '' # traefik.http.routers.malcolm.service: 'malcolm' # traefik.http.services.malcolm.loadbalancer.server.port: '443' @@ -1077,4 +747,4 @@ volumes: networks: default: - external: false \ No newline at end of file + external: false diff --git a/docs/README.md b/docs/README.md index d3eadbb88..cdcc3f161 100644 --- a/docs/README.md +++ b/docs/README.md @@ -4,7 +4,7 @@ Malcolm processes network traffic data in the form of packet capture (docs/PCAP) files or Zeek logs. A [sensor](live-analysis.md#Hedgehog) (packet capture appliance) monitors network traffic mirrored to it over a SPAN port on a network switch or router, or using a network TAP device. [Zeek](https://www.zeek.org/index.html) logs and [Arkime](https://arkime.com/) sessions are generated containing important session metadata from the traffic observed, which are then securely forwarded to a Malcolm instance. Full PCAP files are optionally stored locally on the sensor device for examination later. -Malcolm parses the network session data and enriches it with additional lookups and mappings including GeoIP mapping, hardware manufacturer lookups from [organizationally unique identifiers (docs/OUI)](http://standards-oui.ieee.org/oui/oui.txt) in MAC addresses, assigning names to [network segments](host-and-subnet-mapping.md#SegmentNaming) and [hosts](host-and-subnet-mapping.md#HostNaming) based on user-defined IP address and MAC mappings, performing [TLS fingerprinting](https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967), and many others. +Malcolm parses the network session data and enriches it with additional lookups and mappings including GeoIP mapping, hardware manufacturer lookups from [organizationally unique identifiers (docs/OUI)](http://standards-oui.ieee.org/oui/oui.txt) in MAC addresses, assigning names to [network segments and hosts](asset-interaction-analysis.md#AssetInteractionAnalysis) based on a user-defined asset inventory, performing [TLS fingerprinting](https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967), and many others. The enriched data is stored in an [OpenSearch](https://opensearch.org/) document store in a format suitable for analysis through two intuitive interfaces: OpenSearch Dashboards, a flexible data visualization plugin with dozens of prebuilt dashboards providing an at-a-glance overview of network protocols; and Arkime, a powerful tool for finding and identifying the network sessions comprising suspected security incidents. These tools can be accessed through a web browser from analyst workstations or for display in a security operations center (SOC). Logs can also optionally be forwarded on to another instance of Malcolm. @@ -24,7 +24,7 @@ For smaller networks, use at home by network security enthusiasts, or in the fie * [Configuration](malcolm-preparation.md#Configuration) - [Recommended system requirements](system-requirements.md#SystemRequirements) - [Malcolm Configuration](malcolm-config.md#ConfigAndTuning) - + [`docker-compose.yml` parameters](malcolm-config.md#DockerComposeYml) + + [Environment Variable Files](malcolm-config.md#MalcolmConfigEnvVars) - [Configure authentication](authsetup.md#AuthSetup) + [Local account management](authsetup.md#AuthBasicAccountManagement) + [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP) @@ -71,11 +71,6 @@ For smaller networks, use at home by network security enthusiasts, or in the fie * [Search Queries in Arkime and OpenSearch](queries-cheat-sheet.md#SearchCheatSheet) * Other Malcolm features - [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction) - - [Automatic host and subnet name assignment](host-and-subnet-mapping.md#HostAndSubnetNaming) - + [Defining hostname and CIDR subnet names interface](host-and-subnet-mapping.md#NameMapUI) - + [Applying mapping changes](host-and-subnet-mapping.md#ApplyMapping) - + [IP/MAC address to hostname mapping](host-and-subnet-mapping.md#HostNaming) - + [CIDR subnet to network segment name mapping](host-and-subnet-mapping.md#SegmentNaming) - [OpenSearch index management](index-management.md#IndexManagement) - [Event severity scoring](severity.md#Severity) + [Customizing event severity scoring](severity.md#SeverityConfig) @@ -102,6 +97,7 @@ For smaller networks, use at home by network security enthusiasts, or in the fie - [Generating the ISO](malcolm-iso.md#ISOBuild) - [Setup](malcolm-iso.md#ISOSetup) - [Time synchronization](time-sync.md#ConfigTime) +* [Deploying Malcolm with Kubernetes](kubernetes.md#Kubernetes) * [Hardening](hardening.md#Hardening) - [Compliance Exceptions](hardening.md#ComplianceExceptions) * [Installation example using Ubuntu 22.04 LTS](ubuntu-install-example.md#InstallationExample) diff --git a/docs/arkime.md b/docs/arkime.md index a95464617..59906a0e7 100644 --- a/docs/arkime.md +++ b/docs/arkime.md @@ -120,7 +120,7 @@ While the default source and destination fields are *Src IP* and *Dst IP:Dst Por * *Src OUI* and *Dst OUI* (hardware manufacturers) * *Src IP* and *Protocols* -* *Originating Network Segment* and *Responding Network Segment* (see [CIDR subnet to network segment name mapping](host-and-subnet-mapping.md#SegmentNaming)) +* *Originating Network Segment* and *Responding Network Segment* (see [Asset Interaction Analysis](asset-interaction-analysis.md#AssetInteractionAnalysis)) * *Originating GeoIP City* and *Responding GeoIP City* or any other combination of these or other fields. diff --git a/docs/asset-interaction-analysis.md b/docs/asset-interaction-analysis.md index 2c2ce86a4..90637e1d2 100644 --- a/docs/asset-interaction-analysis.md +++ b/docs/asset-interaction-analysis.md @@ -16,7 +16,7 @@ Please see the [NetBox page on GitHub](https://github.com/netbox-community/netbo ## Enriching network traffic metadata via NetBox lookups -As Zeek logs and Suricata alerts are parsed and enriched (if the `LOGSTASH_NETBOX_ENRICHMENT` [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) is set to `true`) the NetBox API will be queried for the associated hosts' information. If found, the information retrieved by NetBox will be used to enrich these logs through the creation of the following new fields. See [the NetBox API](https://demo.netbox.dev/api/docs/) documentation and [the NetBox documentation](https://demo.netbox.dev/static/docs/introduction/). +As Zeek logs and Suricata alerts are parsed and enriched (if the `LOGSTASH_NETBOX_ENRICHMENT` [environment variable in `./config/logstash.env`](malcolm-config.md#MalcolmConfigEnvVars) is set to `true`) the NetBox API will be queried for the associated hosts' information. If found, the information retrieved by NetBox will be used to enrich these logs through the creation of the following new fields. See [the NetBox API](https://demo.netbox.dev/api/docs/) documentation and [the NetBox documentation](https://demo.netbox.dev/static/docs/introduction/). * `destination.…` - `destination.device.cluster` (`/virtualization/clusters/`) (for [Virtual Machine](https://demo.netbox.dev/static/docs/coe-functionality/virtualization/) device types) @@ -28,13 +28,13 @@ As Zeek logs and Suricata alerts are parsed and enriched (if the `LOGSTASH_NETBO - [`destination.device.service`](https://demo.netbox.dev/static/docs/core-functionality/services/#service-templates) (`/ipam/services/`) - `destination.device.site` (`/dcim/sites/`) - `destination.device.url` (`/dcim/devices/`) - - `destination.device.details` (full JSON object, [only with `LOGSTASH_NETBOX_ENRICHMENT_VERBOSE: 'true'`](malcolm-config.md#DockerComposeYml)) + - `destination.device.details` (full JSON object, [only with `LOGSTASH_NETBOX_ENRICHMENT_VERBOSE: 'true'`](malcolm-config.md#MalcolmConfigEnvVars)) - `destination.segment.id` (`/ipam/vrfs/{id}`) - `destination.segment.name` (`/ipam/vrfs/`) - `destination.segment.site` (`/dcim/sites/`) - `destination.segment.tenant` (`/tenancy/tenants/`) - `destination.segment.url` (`/ipam/vrfs/`) - - `destination.segment.details` (full JSON object, [only with `LOGSTASH_NETBOX_ENRICHMENT_VERBOSE: 'true'`](malcolm-config.md#DockerComposeYml)) + - `destination.segment.details` (full JSON object, [only with `LOGSTASH_NETBOX_ENRICHMENT_VERBOSE: 'true'`](malcolm-config.md#MalcolmConfigEnvVars)) * `source.…` same as `destination.…` * collected as `related` fields (the [same approach](https://www.elastic.co/guide/en/ecs/current/ecs-related.html) used in ECS) - `related.device_type` @@ -47,7 +47,7 @@ As Zeek logs and Suricata alerts are parsed and enriched (if the `LOGSTASH_NETBO For Malcolm's purposes, both physical devices and virtualized hosts will be stored as described above: the `device_type` field can be used to distinguish between them. -NetBox has the concept of [sites](https://demo.netbox.dev/static/docs/core-functionality/sites-and-racks/). Sites can have overlapping IP address ranges, of course. The value of the `NETBOX_DEFAULT_SITE` variable in [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) will be used as a query parameter for these enrichment lookups. +NetBox has the concept of [sites](https://demo.netbox.dev/static/docs/core-functionality/sites-and-racks/). Sites can have overlapping IP address ranges, of course. The value of the `NETBOX_DEFAULT_SITE` variable in [environment variable in `netbox-common.env`](malcolm-config.md#MalcolmConfigEnvVars) will be used as a query parameter for these enrichment lookups. This feature was implemented as described in [idaholab/Malcolm#132](https://github.com/idaholab/Malcolm/issues/132). @@ -73,7 +73,7 @@ See [idaholab/Malcolm#134](https://github.com/idaholab/Malcolm/issues/134). ## Populate NetBox inventory via passively-gathered network traffic metadata -The purpose of an asset management system is to document the intended state of a network: were Malcolm to actively and agressively populate NetBox with the live network state, a network configuration fault could result in an incorrect documented configuration. The Malcolm development team is investigating what data, if any, should automatically flow to NetBox based on traffic observed (enabled via the `NETBOX_CRON` [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml)), and what NetBox inventory data could be used, if any, to enrich Malcolm's network traffic metadata. Well-considered suggestions in this area are welcome. +The purpose of an asset management system is to document the intended state of a network: were Malcolm to actively and agressively populate NetBox with the live network state, a network configuration fault could result in an incorrect documented configuration. The Malcolm development team is investigating what data, if any, should automatically flow to NetBox based on traffic observed (enabled via the `NETBOX_CRON` [environment variable in `netbox-common.env`](malcolm-config.md#MalcolmConfigEnvVars)), and what NetBox inventory data could be used, if any, to enrich Malcolm's network traffic metadata. Well-considered suggestions in this area are welcome. See [idaholab/Malcolm#135](https://github.com/idaholab/Malcolm/issues/135). @@ -97,4 +97,4 @@ To clear the existing NetBox database and restore a previous backup, run the fol ``` -Note that some of the data in the NetBox database is cryptographically signed with the value of the `SECRET_KEY` environment variable in the `./netbox/env/netbox.env` environment file. A restored NetBox backup **will not work** if this value is different from when it was created. +Note that some of the data in the NetBox database is cryptographically signed with the value of the `SECRET_KEY` environment variable in the `./netbox/env/netbox-secret.env` environment file. A restored NetBox backup **will not work** if this value is different from when it was created. diff --git a/docs/authsetup.md b/docs/authsetup.md index 4a0fe6a10..96b0a1ac1 100644 --- a/docs/authsetup.md +++ b/docs/authsetup.md @@ -12,7 +12,7 @@ With the local basic authentication method, user accounts are managed by Malcolm LDAP authentication are managed on a remote directory service, such as a [Microsoft Active Directory Domain Services](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) or [OpenLDAP](https://www.openldap.org/). -Malcolm's authentication method is defined in the `x-auth-variables` section near the top of the [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) file with the `NGINX_BASIC_AUTH` environment variable: `true` for local TLS-encrypted HTTP basic authentication, `false` for LDAP authentication. +Malcolm's authentication method is defined in the [`auth-common.env` configuration file](malcolm-config.md#MalcolmConfigEnvVars) file with the `NGINX_BASIC_AUTH` environment variable: `true` for local TLS-encrypted HTTP basic authentication, `false` for LDAP authentication and `no_authentication` to disable authentication completely. In either case, you **must** run `./scripts/auth_setup` before starting Malcolm for the first time in order to: @@ -27,11 +27,11 @@ In either case, you **must** run `./scripts/auth_setup` before starting Malcolm # Local account management -[`auth_setup`](#AuthSetup) is used to define the username and password for the administrator account. Once Malcolm is running, the administrator account can be used to manage other user accounts via a **Malcolm User Management** page served over HTTPS on port 488 (e.g., [https://localhost:488](https://localhost:488) if you are connecting locally). +[`auth_setup`](#AuthSetup) is used to define the username and password for the administrator account. Once Malcolm is running, the administrator account can be used to manage other user accounts via a **Malcolm User Management** page at [https://localhost/auth](https://localhost/auth/) if you are connecting locally) Malcolm user accounts can be used to access the [interfaces](quickstart.md#UserInterfaceURLs) of all of its [components](components.md#Components), including Arkime. Arkime uses its own internal database of user accounts, so when a Malcolm user account logs in to Arkime for the first time Malcolm creates a corresponding Arkime user account automatically. This being the case, it is *not* recommended to use the Arkime **Users** settings page or change the password via the **Password** form under the Arkime **Settings** page, as those settings would not be consistently used across Malcolm. -Users may change their passwords via the **Malcolm User Management** page by clicking **User Self Service**. A forgotten password can also be reset via an emailed link, though this requires SMTP server settings to be specified in `htadmin/config.ini` in the Malcolm installation directory. +Users may change their passwords via the **Malcolm User Management** page by clicking **User Self Service**. ## Lightweight Directory Access Protocol (LDAP) authentication @@ -82,16 +82,16 @@ Authentication over LDAP can be done using one of three ways, [two of which](htt * **LDAPS** - a commonly used (though unofficial and considered deprecated) method in which SSL negotiation takes place before any commands are sent from the client to the server * **Unencrypted** (cleartext) (***not recommended***) -In addition to the `NGINX_BASIC_AUTH` environment variable being set to `false` in the `x-auth-variables` section near the top of the [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) file, the `NGINX_LDAP_TLS_STUNNEL` and `NGINX_LDAP_TLS_STUNNEL` environment variables are used in conjunction with the values in `nginx/nginx_ldap.conf` to define the LDAP connection security level. Use the following combinations of values to achieve the connection security methods above, respectively: +In addition to the `NGINX_BASIC_AUTH` environment variable being set to `false` in the [`auth-common.env` configuration file](malcolm-config.md#MalcolmConfigEnvVars) file, the `NGINX_LDAP_TLS_STUNNEL` and `NGINX_LDAP_TLS_STUNNEL` environment variables are used in conjunction with the values in `nginx/nginx_ldap.conf` to define the LDAP connection security level. Use the following combinations of values to achieve the connection security methods above, respectively: * **StartTLS** - - `NGINX_LDAP_TLS_STUNNEL` set to `true` in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) + - `NGINX_LDAP_TLS_STUNNEL` set to `true` in [`auth-common.env`](malcolm-config.md#MalcolmConfigEnvVars) - `url` should begin with `ldap://` and its port should be either the default LDAP port (389) or the default Global Catalog port (3268) in `nginx/nginx_ldap.conf` * **LDAPS** - - `NGINX_LDAP_TLS_STUNNEL` set to `false` in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) + - `NGINX_LDAP_TLS_STUNNEL` set to `false` in [`auth-common.env`](malcolm-config.md#MalcolmConfigEnvVars) - `url` should begin with `ldaps://` and its port should be either the default LDAPS port (636) or the default LDAPS Global Catalog port (3269) in `nginx/nginx_ldap.conf` * **Unencrypted** (clear text) (***not recommended***) - - `NGINX_LDAP_TLS_STUNNEL` set to `false` in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) + - `NGINX_LDAP_TLS_STUNNEL` set to `false` in [`auth-common.env`](malcolm-config.md#MalcolmConfigEnvVars) - `url` should begin with `ldap://` and its port should be either the default LDAP port (389) or the default Global Catalog port (3268) in `nginx/nginx_ldap.conf` For encrypted connections (whether using **StartTLS** or **LDAPS**), Malcolm will require and verify certificates when one or more trusted CA certificate files are placed in the `nginx/ca-trust/` directory. Otherwise, any certificate presented by the domain server will be accepted. @@ -102,4 +102,4 @@ When you [set up authentication](#AuthSetup) for Malcolm a set of unique [self-s Another option is to generate your own certificates (or have them issued to you) and have them placed in the `nginx/certs/` directory. The certificate and key file should be named `cert.pem` and `key.pem`, respectively. -A third possibility is to use a third-party reverse proxy (e.g., [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)) to handle the issuance of the certificates for you and to broker the connections between clients and Malcolm. Reverse proxies such as these often implement the [ACME](https://datatracker.ietf.org/doc/html/rfc8555) protocol for domain name authentication and can be used to request certificates from certificate authorities like [Let's Encrypt](https://letsencrypt.org/how-it-works/). In this configuration, the reverse proxy will be encrypting the connections instead of Malcolm, so you'll need to set the `NGINX_SSL` environment variable to `false` in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) (or answer `no` to the "Require encrypted HTTPS connections?" question posed by `install.py`). If you are setting `NGINX_SSL` to `false`, **make sure** you understand what you are doing and ensure that external connections cannot reach ports over which Malcolm will be communicating without encryption, including verifying your local firewall configuration. \ No newline at end of file +A third possibility is to use a third-party reverse proxy (e.g., [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)) to handle the issuance of the certificates for you and to broker the connections between clients and Malcolm. Reverse proxies such as these often implement the [ACME](https://datatracker.ietf.org/doc/html/rfc8555) protocol for domain name authentication and can be used to request certificates from certificate authorities like [Let's Encrypt](https://letsencrypt.org/how-it-works/). In this configuration, the reverse proxy will be encrypting the connections instead of Malcolm, so you'll need to set the `NGINX_SSL` environment variable to `false` in [`nginx.env`](malcolm-config.md#MalcolmConfigEnvVars) (or answer `no` to the "Require encrypted HTTPS connections?" question posed by `./scripts/configure`). If you are setting `NGINX_SSL` to `false`, **make sure** you understand what you are doing and ensure that external connections cannot reach ports over which Malcolm will be communicating without encryption, including verifying your local firewall configuration. \ No newline at end of file diff --git a/docs/components.md b/docs/components.md index c407f60e7..8f5b52e80 100644 --- a/docs/components.md +++ b/docs/components.md @@ -15,7 +15,6 @@ Malcolm leverages the following excellent open source tools, among others. * [ClamAV](https://www.clamav.net/) - an antivirus engine for scanning files extracted by Zeek * [CyberChef](https://github.com/gchq/CyberChef) - a "swiss-army knife" data conversion tool * [jQuery File Upload](https://github.com/blueimp/jQuery-File-Upload) - for uploading PCAP files and Zeek logs for processing -* [List.js](https://github.com/javve/list.js) - for the [host and subnet name mapping](host-and-subnet-mapping.md#HostAndSubnetNaming) interface * [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/) - for simple, reproducible deployment of the Malcolm appliance across environments and to coordinate communication between its various components * [NetBox](https://netbox.dev/) - a suite for modeling and documenting modern networks * [PostgreSQL](https://www.postgresql.org/) - a relational database for persisting NetBox's data diff --git a/docs/contributing-dashboards.md b/docs/contributing-dashboards.md index 6f53fb810..f819e7251 100644 --- a/docs/contributing-dashboards.md +++ b/docs/contributing-dashboards.md @@ -32,7 +32,7 @@ Visualizations and dashboards can be [easily created](dashboards.md#BuildDashboa } } ``` -1. Include the new dashboard either by using a [bind mount](contributing-local-modifications.md#Bind) for the `./dashboards./dashboards/` directory or by [rebuilding](development.md#Build) the `dashboards-helper` Docker image. Dashboards are imported the first time Malcolm starts up. +1. Include the new dashboard either by using a [bind mount](contributing-local-modifications.md#Bind) for the `./dashboards/dashboards/` directory or by [rebuilding](development.md#Build) the `dashboards-helper` Docker image. Dashboards are imported the first time Malcolm starts up. ## OpenSearch Dashboards plugins diff --git a/docs/contributing-file-scanners.md b/docs/contributing-file-scanners.md index 0dc0bd572..139e7b510 100644 --- a/docs/contributing-file-scanners.md +++ b/docs/contributing-file-scanners.md @@ -11,4 +11,4 @@ When Zeek extracts a file it observes being transfered in network traffic, the ` Additional file scanners could either be added to the `file-monitor` service, or to avoid coupling with Malcolm's code you could simply define a new service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section and write your own scripts to subscribe and publish to the topics as described above. While that might be a bit of hand-waving, these general steps take care of the plumbing around extracting the file and notifying your tool, as well as handling the logging of "hits": you shouldn't have to really edit any *existing* code to add a new carved file scanner. -The `EXTRACTED_FILE_PIPELINE_DEBUG` and `EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA` environment variables in the `docker-compose` files can be set to `true` to enable verbose debug logging from the output of the Docker containers involved in the carved file processing pipeline. \ No newline at end of file +The `EXTRACTED_FILE_PIPELINE_VERBOSITY` environment variables in can be set to `-v`, `-vv`, etc., to increase the verbosity of debug logging from the output of the Docker containers involved in the carved file processing pipeline. \ No newline at end of file diff --git a/docs/contributing-local-modifications.md b/docs/contributing-local-modifications.md index 3a26098ab..289513aa3 100644 --- a/docs/contributing-local-modifications.md +++ b/docs/contributing-local-modifications.md @@ -1,6 +1,6 @@ # Local modifications -There are several ways to customize Malcolm's runtime behavior via local changes to configuration files. Many commonly-tweaked settings are discussed in the project [README](README.md) (see [`docker-compose.yml` parameters](malcolm-config.md#DockerComposeYml) and [Customizing event severity scoring](severity.md#SeverityConfig) for some examples). +There are several ways to customize Malcolm's runtime behavior via local changes to configuration files. Many commonly-tweaked settings are discussed in the project [README](README.md) (see [Environment Variable Files](malcolm-config.md#MalcolmConfigEnvVars) and [Customizing event severity scoring](severity.md#SeverityConfig) for some examples). ## Docker bind mounts @@ -8,99 +8,109 @@ Some configuration changes can be put in place by modifying local copies of conf ``` $ grep -P "^( - ./| [\w-]+:)" docker-compose-standalone.yml - opensearch: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro - - ./opensearch/opensearch.keystore:/usr/share/opensearch/config/opensearch.keystore:rw - - ./opensearch:/usr/share/opensearch/data:delegated - - ./opensearch-backup:/opt/opensearch/backup:delegated - dashboards-helper: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - dashboards: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - logstash: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro - - ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro - - ./logstash/certs/ca.crt:/certs/ca.crt:ro - - ./logstash/certs/server.crt:/certs/server.crt:ro - - ./logstash/certs/server.key:/certs/server.key:ro - - ./net-map.json:/usr/share/logstash/config/net-map.json:ro - filebeat: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./zeek-logs:/zeek - - ./suricata-logs:/suricata - - ./filebeat/certs/ca.crt:/certs/ca.crt:ro - - ./filebeat/certs/client.crt:/certs/client.crt:ro - - ./filebeat/certs/client.key:/certs/client.key:ro - arkime: - - ./auth.env - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./pcap:/data/pcap - - ./arkime-logs:/opt/arkime/logs - - ./arkime-raw:/opt/arkime/raw - zeek: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./pcap:/pcap - - ./zeek-logs/upload:/zeek/upload - - ./zeek-logs/extract_files:/zeek/extract_files - - ./zeek/intel:/opt/zeek/share/zeek/site/intel - zeek-live: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./zeek-logs/live:/zeek/live - - ./zeek-logs/extract_files:/zeek/extract_files - - ./zeek/intel:/opt/zeek/share/zeek/site/intel - suricata: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./suricata-logs:/var/log/suricata - - ./pcap:/data/pcap - - ./suricata/rules:/opt/suricata/rules:ro - suricata-live: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./suricata-logs:/var/log/suricata - - ./suricata/rules:/opt/suricata/rules:ro - file-monitor: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./zeek-logs/extract_files:/zeek/extract_files - - ./zeek-logs/current:/zeek/logs - - ./yara/rules:/yara-rules/custom:ro - pcap-capture: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./pcap/upload:/pcap - pcap-monitor: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - - ./zeek-logs:/zeek - - ./pcap:/pcap - upload: - - ./auth.env - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./pcap/upload:/var/www/upload/server/php/chroot/files - htadmin: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw - - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw - freq: - - ./nginx/ca-trust:/var/local/ca-trust:ro - name-map-ui: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./net-map.json:/var/www/html/maps/net-map.json:rw - api: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro - nginx-proxy: - - ./nginx/ca-trust:/var/local/ca-trust:ro - - ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro - - ./nginx/htpasswd:/etc/nginx/.htpasswd:ro - - ./nginx/certs:/etc/nginx/certs:ro - - ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro +opensearch: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./.opensearch.secondary.curlrc:/var/local/curlrc/.opensearch.secondary.curlrc:ro + - ./opensearch:/usr/share/opensearch/data:delegated + - ./opensearch-backup:/opt/opensearch/backup:delegated + - ./opensearch/opensearch.keystore:/usr/share/opensearch/config/persist/opensearch.keystore:rw +dashboards-helper: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./.opensearch.secondary.curlrc:/var/local/curlrc/.opensearch.secondary.curlrc:ro +dashboards: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro +logstash: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./.opensearch.secondary.curlrc:/var/local/curlrc/.opensearch.secondary.curlrc:ro + - ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro + - ./logstash/certs/ca.crt:/certs/ca.crt:ro + - ./logstash/certs/server.crt:/certs/server.crt:ro + - ./logstash/certs/server.key:/certs/server.key:ro +filebeat: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./zeek-logs:/zeek + - ./suricata-logs:/suricata + - ./filebeat/certs/ca.crt:/certs/ca.crt:ro + - ./filebeat/certs/client.crt:/certs/client.crt:ro + - ./filebeat/certs/client.key:/certs/client.key:ro +arkime: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./pcap:/data/pcap + - ./arkime-logs:/opt/arkime/logs + - ./arkime-raw:/opt/arkime/raw +zeek: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./pcap:/pcap + - ./zeek-logs/upload:/zeek/upload + - ./zeek-logs/extract_files:/zeek/extract_files + - ./zeek/intel:/opt/zeek/share/zeek/site/intel +zeek-live: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./zeek-logs/live:/zeek/live + - ./zeek-logs/extract_files:/zeek/extract_files + - ./zeek/intel:/opt/zeek/share/zeek/site/intel +suricata: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./suricata-logs:/var/log/suricata + - ./pcap:/data/pcap + - ./suricata/rules:/opt/suricata/rules:ro +suricata-live: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./suricata-logs:/var/log/suricata + - ./suricata/rules:/opt/suricata/rules:ro +file-monitor: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./zeek-logs/extract_files:/zeek/extract_files + - ./zeek-logs/current:/zeek/logs + - ./yara/rules:/yara-rules/custom:ro +pcap-capture: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./pcap/upload:/pcap +pcap-monitor: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./zeek-logs:/zeek + - ./pcap:/pcap +upload: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./pcap/upload:/var/www/upload/server/php/chroot/files +htadmin: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw + - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw + - ./nginx/htpasswd:/var/www/htadmin/auth/htpasswd:rw +freq: + - ./nginx/ca-trust:/var/local/ca-trust:ro +netbox: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./netbox/config/configuration:/etc/netbox/config:ro + - ./netbox/config/reports:/etc/netbox/reports:ro + - ./netbox/config/scripts:/etc/netbox/scripts:ro + - ./netbox/media:/opt/netbox/netbox/media:rw + - ./net-map.json:/usr/local/share/net-map.json:ro +netbox-postgres: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./netbox/postgres:/var/lib/postgresql/data:rw +netbox-redis: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./netbox/redis:/data +netbox-redis-cache: + - ./nginx/ca-trust:/var/local/ca-trust:ro +api: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro +nginx-proxy: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro + - ./nginx/htpasswd:/etc/nginx/auth/htpasswd:ro + - ./nginx/certs:/etc/nginx/certs:ro + - ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro ``` So, for example, if you wanted to make a change to the `nginx-proxy` container's `nginx.conf` file, you could add the following line to the `volumes:` section of the `nginx-proxy` service in your `docker-compose.yml` file: diff --git a/docs/contributing-logstash.md b/docs/contributing-logstash.md index d13c56b34..a628210ac 100644 --- a/docs/contributing-logstash.md +++ b/docs/contributing-logstash.md @@ -28,7 +28,7 @@ Logstash can then be easily extended to add more [`logstash/pipelines`]({{ site. So, in order to add a new **parse pipeline** for `cooltool` after tweaking [`filebeat.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/filebeat/filebeat.yml) as described above, create a `cooltool` directory under [`logstash/pipelines`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines) which follows the same pattern as the `zeek` parse pipeline. This directory will have an input file (tiny), a filter file (possibly large), and an output file (tiny). In your filter file, be sure to set the field [`event.hash`](https://www.elastic.co/guide/en/ecs/master/ecs-event.html#field-event-hash) to a unique value to identify indexed documents in OpenSearch; the [fingerprint filter](https://www.elastic.co/guide/en/logstash/current/plugins-filters-fingerprint.html) may be useful for this. -Finally, in your `docker-compose` files, set a new `LOGSTASH_PARSE_PIPELINE_ADDRESSES` environment variable under `logstash-variables` to `cooltool-parse,zeek-parse,suricata-parse,beats-parse` (assuming you named the pipeline address from the previous step `cooltool-parse`) so that logs sent from `filebeat` to `logstash` are forwarded to all parse pipelines. +Finally, in the [`./config/logstash.env` file](malcolm-config.md#MalcolmConfigEnvVars), set a new `LOGSTASH_PARSE_PIPELINE_ADDRESSES` environment variable to `cooltool-parse,zeek-parse,suricata-parse,beats-parse` (assuming you named the pipeline address from the previous step `cooltool-parse`) so that logs sent from `filebeat` to `logstash` are forwarded to all parse pipelines. ## Parsing new Zeek logs diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md index 04cdb7ae1..d77862cd6 100644 --- a/docs/contributing-pcap.md +++ b/docs/contributing-pcap.md @@ -9,4 +9,4 @@ When a PCAP is uploaded (either through Malcolm's [upload web interface](upload. While that might be a bit of hand-waving, these general steps take care of the PCAP processing piece: you shouldn't have to really edit any *existing* code to add a new PCAP processor. You're just creating a new container for the Malcolm appliance to the ZeroMQ topic and handle the PCAPs your tool receives. -The `PCAP_PIPELINE_DEBUG` and `PCAP_PIPELINE_DEBUG_EXTRA` environment variables in the `docker-compose` files can be set to `true` to enable verbose debug logging from the output of the Docker containers involved in the PCAP processing pipeline. +The `PCAP_PIPELINE_VERBOSITY` environment variables in can be set to `-v`, `-vv`, etc., to increase the verbosity of debug logging from the output of the Docker containers involved in the PCAP processing pipeline. \ No newline at end of file diff --git a/docs/contributing-zeek.md b/docs/contributing-zeek.md index db8bfc935..6846bbb46 100644 --- a/docs/contributing-zeek.md +++ b/docs/contributing-zeek.md @@ -2,7 +2,7 @@ ## `local.zeek` -Some Zeek behavior can be tweaked without having to manually edit configuration files through the use of environment variables: search for `ZEEK` in the [`docker-compose.yml` parameters](malcolm-config.md#DockerComposeYml) section of the documentation. +Some Zeek behavior can be tweaked through the use of [environment variables](malcolm-config.md#MalcolmConfigEnvVars) in the `.env` files beginning with `zeek…`. Other changes to Zeek's behavior could be made by modifying [local.zeek]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/zeek/config/local.zeek) and either using a [bind mount](contributing-local-modifications.md#Bind) or [rebuilding](development.md#Build) the `zeek` Docker image with the modification. See the [Zeek documentation](https://docs.zeek.org/en/master/quickstart.html#local-site-customization) for more information on customizing a Zeek instance. Note that changing Zeek's behavior could result in changes to the format of the logs Zeek generates, which could break Malcolm's parsing of those logs, so exercise caution. diff --git a/docs/development.md b/docs/development.md index 6633038af..a8829ae46 100644 --- a/docs/development.md +++ b/docs/development.md @@ -11,6 +11,7 @@ Checking out the [Malcolm source code]({{ site.github.repository_url }}/tree/{{ * `arkime-logs` - an initially empty directory to which the `arkime` container will write some debug log files * `arkime-raw` - an initially empty directory to which the `arkime` container will write captured PCAP files; as Arkime as employed by Malcolm is currently used for processing previously-captured PCAP files, this directory is currently unused * `Dockerfiles` - a directory containing build instructions for Malcolm's docker images +* `config` - a directory containing the environment variable files that define Malcolm's configuration * `docs` - a directory containing instructions and documentation * `opensearch` - an initially empty directory where the OpenSearch database instance will reside * `opensearch-backup` - an initially empty directory for storing OpenSearch [index snapshots](index-management.md#IndexManagement) @@ -22,7 +23,6 @@ Checking out the [Malcolm source code]({{ site.github.repository_url }}/tree/{{ * `dashboards` - code and configuration for the `dashboards` container for creating additional ad-hoc visualizations and dashboards beyond that which is provided by Arkime Viewer * `logstash` - code and configuration for the `logstash` container which parses Zeek logs and forwards them to the `opensearch` container * `malcolm-iso` - code and configuration for building an [installer ISO](malcolm-iso.md#ISO) for a minimal Debian-based Linux installation for running Malcolm -* `name-map-ui` - code and configuration for the `name-map-ui` container which provides the [host and subnet name mapping](host-and-subnet-mapping.md#HostAndSubnetNaming) interface * `netbox` - code and configuration for the `netbox`, `netbox-postgres`, `netbox-redis` and `netbox-redis-cache` containers which provide asset management capabilities * `nginx` - configuration for the `nginx` reverse proxy container * `pcap` - an initially empty directory for PCAP files to be uploaded, processed, and stored @@ -39,8 +39,6 @@ Checking out the [Malcolm source code]({{ site.github.repository_url }}/tree/{{ and the following files of special note: -* `auth.env` - the script `./scripts/auth_setup` prompts the user for the administrator credentials used by the Malcolm appliance, and `auth.env` is the environment file where those values are stored -* `net-map.json` - a JSON-formatted file mapping devices and network segments to their names * `docker-compose.yml` - the configuration file used by `docker-compose` to build, start, and stop an instance of the Malcolm appliance * `docker-compose-standalone.yml` - similar to `docker-compose.yml`, only used for the ["packaged"](#Packager) installation of Malcolm @@ -64,7 +62,6 @@ Then, go take a walk or something since it will be a while. When you're done, yo * `ghcr.io/idaholab/malcolm/freq` (based on `debian:11-slim`) * `ghcr.io/idaholab/malcolm/htadmin` (based on `debian:11-slim`) * `ghcr.io/idaholab/malcolm/logstash-oss` (based on `opensearchproject/logstash-oss-with-opensearch-output-plugin`) -* `ghcr.io/idaholab/malcolm/name-map-ui` (based on `alpine:3.17`) * `ghcr.io/idaholab/malcolm/netbox` (based on `netboxcommunity/netbox:latest`) * `ghcr.io/idaholab/malcolm/nginx-proxy` (based on `alpine:3.17`) * `ghcr.io/idaholab/malcolm/opensearch` (based on `opensearchproject/opensearch`) @@ -93,7 +90,7 @@ Administrator username: analyst analyst password: analyst password (again): -Additional local accounts can be created at https://localhost:488/ when Malcolm is running +Additional local accounts can be created at https://localhost/auth/ when Malcolm is running (Re)generate self-signed certificates for HTTPS access (Y/n): y @@ -131,9 +128,8 @@ A minute or so after starting Malcolm, the following services will be accessible - OpenSearch Dashboards: https://localhost/dashboards/ - PCAP upload (web): https://localhost/upload/ - PCAP upload (sftp): sftp://USERNAME@127.0.0.1:8022/files/ - - Host and subnet name mapping editor: https://localhost/name-map-ui/ - NetBox: https://localhost/netbox/ - - Account management: https://localhost:488/ + - Account management: https://localhost/auth/ - Documentation: https://localhost/readme/ ``` diff --git a/docs/download.md b/docs/download.md index 228d137d8..a9c6b154f 100644 --- a/docs/download.md +++ b/docs/download.md @@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno | ISO | SHA256 | |---|---| -| [malcolm-23.04.0.iso](/iso/malcolm-23.04.0.iso) (5.2GiB) | [`6f8292a3c0c0c43b3ea7919b0b5ad1caa1140796da315a779522cb998dea8d13`](/iso/malcolm-23.04.0.iso.sha256.txt) | +| [malcolm-23.05.0.iso](/iso/malcolm-23.05.0.iso) (5.3GiB) | [`e9e00694f25b9d0dcc286496490e184930611ddbed6c52dfab77a935d2afa850`](/iso/malcolm-23.05.0.iso.sha256.txt) | ## Hedgehog Linux @@ -26,7 +26,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno | ISO | SHA256 | |---|---| -| [hedgehog-23.04.0.iso](/iso/hedgehog-23.04.0.iso) (2.3GiB) | [`b0ef7afbd1fb8157b55115ca2a7ab118206b9498ab5a11c916f315c26775b0df`](/iso/hedgehog-23.04.0.iso.sha256.txt) | +| [hedgehog-23.05.0.iso](/iso/hedgehog-23.05.0.iso) (2.3GiB) | [`f850ecd3b62731b46ac0366bdcdd62437da30220c23f94013873c6c92cbddff7`](/iso/hedgehog-23.05.0.iso.sha256.txt) | ## Warning diff --git a/docs/file-scanning.md b/docs/file-scanning.md index 6d6396a9e..57c9560f8 100644 --- a/docs/file-scanning.md +++ b/docs/file-scanning.md @@ -1,6 +1,6 @@ # Automatic file extraction and scanning -Malcolm can leverage Zeek's knowledge of network protocols to automatically detect file transfers and extract those files from PCAPs as Zeek processes them. This behavior can be enabled globally by modifying the `ZEEK_EXTRACTOR_MODE` [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml), or on a per-upload basis for PCAP files uploaded via the [browser-based upload form](upload.md#Upload) when **Analyze with Zeek** is selected. +Malcolm can leverage Zeek's knowledge of network protocols to automatically detect file transfers and extract those files from PCAPs as Zeek processes them. This behavior can be enabled globally by modifying the `ZEEK_EXTRACTOR_MODE` [variable in `zeek.env`](malcolm-config.md#MalcolmConfigEnvVars), or on a per-upload basis for PCAP files uploaded via the [browser-based upload form](upload.md#Upload) when **Analyze with Zeek** is selected. To specify which files should be extracted, the following values are acceptable in `ZEEK_EXTRACTOR_MODE`: @@ -12,17 +12,17 @@ To specify which files should be extracted, the following values are acceptable Extracted files can be examined through any of the following methods: -* submitting file hashes to [**VirusTotal**](https://www.virustotal.com/en/#search); to enable this method, specify the `VTOT_API2_KEY` [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) -* scanning files with [**ClamAV**](https://www.clamav.net/); to enable this method, set the `EXTRACTED_FILE_ENABLE_CLAMAV` [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) to `true` -* scanning files with [**Yara**](https://github.com/VirusTotal/yara); to enable this method, set the `EXTRACTED_FILE_ENABLE_YARA` [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) to `true` -* scanning PE (portable executable) files with [**Capa**](https://github.com/fireeye/capa); to enable this method, set the `EXTRACTED_FILE_ENABLE_CAPA` [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) to `true` +* submitting file hashes to [**VirusTotal**](https://www.virustotal.com/en/#search); to enable this method, specify the `VTOT_API2_KEY` [environment variable in `zeek-secret.env`](malcolm-config.md#MalcolmConfigEnvVars) +* scanning files with [**ClamAV**](https://www.clamav.net/); to enable this method, set the `EXTRACTED_FILE_ENABLE_CLAMAV` [environment variable in `zeek.env`](malcolm-config.md#MalcolmConfigEnvVars) to `true` +* scanning files with [**Yara**](https://github.com/VirusTotal/yara); to enable this method, set the `EXTRACTED_FILE_ENABLE_YARA` [environment variable in `zeek.env`](malcolm-config.md#MalcolmConfigEnvVars) to `true` +* scanning PE (portable executable) files with [**Capa**](https://github.com/fireeye/capa); to enable this method, set the `EXTRACTED_FILE_ENABLE_CAPA` [environment variable in `zeek.env`](malcolm-config.md#MalcolmConfigEnvVars) to `true` Files which are flagged via any of these methods will be logged as Zeek `signatures.log` entries, and can be viewed in the **Signatures** dashboard in OpenSearch Dashboards. -The `EXTRACTED_FILE_PRESERVATION` [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) determines the behavior for preservation of Zeek-extracted files: +The `EXTRACTED_FILE_PRESERVATION` [environment variable in `zeek.env`](malcolm-config.md#MalcolmConfigEnvVars) determines the behavior for preservation of Zeek-extracted files: * `quarantined`: preserve only flagged files in `./zeek-logs/extract_files/quarantine` * `all`: preserve flagged files in `./zeek-logs/extract_files/quarantine` and all other extracted files in `./zeek-logs/extract_files/preserved` * `none`: preserve no extracted files -The `EXTRACTED_FILE_HTTP_SERVER_…` [environment variables in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) configure access to the Zeek-extracted files path through the means of a simple HTTPS directory server. Beware that Zeek-extracted files may contain malware. As such, the files may be optionally encrypted upon download. \ No newline at end of file +The `EXTRACTED_FILE_HTTP_SERVER_…` [environment variables in `zeek.env`](malcolm-config.md#MalcolmConfigEnvVars) configure access to the Zeek-extracted files path through the means of a simple HTTPS directory server. Beware that Zeek-extracted files may contain malware. As such, the files may be optionally encrypted upon download (and decrypted using `openssl`, e.g., `openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe`) diff --git a/docs/hedgehog-config-root.md b/docs/hedgehog-config-root.md deleted file mode 100644 index 327463d6e..000000000 --- a/docs/hedgehog-config-root.md +++ /dev/null @@ -1,47 +0,0 @@ -# Interfaces, hostname, and time synchronization - -## Hostname - -The first step of sensor configuration is to configure the network interfaces and sensor hostname. Clicking the **Configure Interfaces and Hostname** toolbar icon (or, if you are at a command line prompt, running `configure-interfaces`) will prompt you for the root password you created during installation, after which the configuration welcome screen is shown. Select **Continue** to proceed. - -You may next select whether to configure the network interfaces, hostname, or time synchronization. - -![Selection to configure network interfaces, hostname, or time synchronization](./images/hedgehog/images/root_config_mode.png) - -Selecting **Hostname**, you will be presented with a summary of the current sensor identification information, after which you may specify a new sensor hostname. This name will be used to tag all events forwarded from this sensor in the events' **host.name** field. - -![Specifying a new sensor hostname](./images/hedgehog/images/hostname_setting.png) - -## Interfaces - -Returning to the configuration mode selection, choose **Interface**. You will be prompted if you would like help identifying network interfaces. If you select **Yes**, you will be prompted to select a network interface, after which that interface's link LED will blink for 10 seconds to help you in its identification. This network interface identification aid will continue to prompt you to identify further network interfaces until you select **No**. - -You will be presented with a list of interfaces to configure as the sensor management interface. This is the interface the sensor itself will use to communicate with the network in order to, for example, forward captured logs to an aggregate server. In order to do so, the management interface must be assigned an IP address. This is generally **not** the interface used for capturing data. Select the interface to which you wish to assign an IP address. The interfaces are listed by name and MAC address and the associated link speed is also displayed if it can be determined. For interfaces without a connected network cable, generally a `-1` will be displayed instead of the interface speed. - -![Management interface selection](./images/hedgehog/images/select_iface.png) - -Depending on the configuration of your network, you may now specify how the management interface will be assigned an IP address. In order to communicate with an event aggregator over the management interface, either **static** or **dhcp** must be selected. - -![Interface address source](./images/hedgehog/images/iface_mode.png) - -If you select static, you will be prompted to enter the IP address, netmask, and gateway to assign to the management interface. - -![Static IP configuration](./images/hedgehog/images/iface_static.png) - -In either case, upon selecting **OK** the network interface will be brought down, configured, and brought back up, and the result of the operation will be displayed. You may choose **Quit** upon returning to the configuration tool's welcome screen. - -## Time synchronization - -Returning to the configuration mode selection, choose **Time Sync**. Here you can configure the sensor to keep its time synchronized with either an NTP server (using the NTP protocol) or a local [Malcolm]({{ site.github.repository_url }}) aggregator or another HTTP/HTTPS server. On the next dialog, choose the time synchronization method you wish to configure. - -![Time synchronization method](./images/hedgehog/images/time_sync_mode.png) - -If **htpdate** is selected, you will be prompted to enter the IP address or hostname and port of an HTTP/HTTPS server (for a Malcolm instance, port `9200` may be used) and the time synchronization check frequency in minutes. A test connection will be made to determine if the time can be retrieved from the server. - -![*htpdate* configuration](./images/hedgehog/images/htpdate_setup.png) - -If *ntpdate* is selected, you will be prompted to enter the IP address or hostname of the NTP server. - -![NTP configuration](./images/hedgehog/images/ntp_host.png) - -Upon configuring time synchronization, a "Time synchronization configured successfully!" message will be displayed, after which you will be returned to the welcome screen. \ No newline at end of file diff --git a/docs/hedgehog-config-user.md b/docs/hedgehog-config-user.md deleted file mode 100644 index 4ec5f02f5..000000000 --- a/docs/hedgehog-config-user.md +++ /dev/null @@ -1,189 +0,0 @@ -# Capture, forwarding, and autostart services - -Clicking the **Configure Capture and Forwarding** toolbar icon (or, if you are at a command prompt, running `configure-capture`) will launch the configuration tool for capture and forwarding. The root password is not required as it was for the interface and hostname configuration, as sensor services are run under the non-privileged sensor account. Select **Continue** to proceed. You may select from a list of configuration options. - -![Select configuration mode](./images/hedgehog/images/capture_config_main.png) - -## Capture - -Choose **Configure Capture** to configure parameters related to traffic capture and local analysis. You will be prompted if you would like help identifying network interfaces. If you select **Yes**, you will be prompted to select a network interface, after which that interface's link LED will blink for 10 seconds to help you in its identification. This network interface identification aid will continue to prompt you to identify further network interfaces until you select **No**. - -You will be presented with a list of network interfaces and prompted to select one or more capture interfaces. An interface used to capture traffic is generally a different interface than the one selected previously as the management interface, and each capture interface should be connected to a network tap or span port for traffic monitoring. Capture interfaces are usually not assigned an IP address as they are only used to passively “listen” to the traffic on the wire. The interfaces are listed by name and MAC address and the associated link speed is also displayed if it can be determined. For interfaces without a connected network cable, generally a `-1` will be displayed instead of the interface speed. - -![Select capture interfaces](./images/hedgehog/images/capture_iface_select.png) - -Upon choosing the capture interfaces and selecting OK, you may optionally provide a capture filter. This filter will be used to limit what traffic the PCAP service ([`tcpdump`](https://www.tcpdump.org/)) and the traffic analysis services ([`zeek`](https://www.zeek.org/) and [`suricata`](https://suricata.io/)) will see. Capture filters are specified using [Berkeley Packet Filter (BPF)](http://biot.com/capstats/bpf.html) syntax. Clicking **OK** will attempt to validate the capture filter, if specified, and will present a warning if the filter is invalid. - -![Specify capture filters](./images/hedgehog/images/capture_filter.png) - -Next you must specify the paths where captured PCAP files and logs will be stored locally on the sensor. If the installation worked as expected, these paths should be prepopulated to reflect paths on the volumes formatted at install time for the purpose storing these artifacts. Usually these paths will exist on separate storage volumes. Enabling the PCAP and log pruning autostart services (see the section on autostart services below) will enable monitoring of these paths to ensure that their contents do not consume more than 90% of their respective volumes' space. Choose **OK** to continue. - -![Specify capture paths](./images/hedgehog/images/capture_paths.png) - -### Automatic file extraction and scanning - -Hedgehog Linux can leverage Zeek's knowledge of network protocols to automatically detect file transfers and extract those files from network traffic as Zeek sees them. - -To specify which files should be extracted, specify the Zeek file carving mode: - -![Zeek file carving mode](./images/hedgehog/images/zeek_file_carve_mode.png) - -If you're not sure what to choose, either of **mapped (except common plain text files)** (if you want to carve and scan almost all files) or **interesting** (if you only want to carve and scan files with [mime types of common attack vectors]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/sensor-iso/interface/sensor_ctl/zeek/extractor_override.interesting.zeek)) is probably a good choice. - -Next, specify which carved files to preserve (saved on the sensor under `/capture/bro/capture/extract_files/quarantine` by default). In order to not consume all of the sensor's available storage space, the oldest preserved files will be pruned along with the oldest Zeek logs as described below with **AUTOSTART_PRUNE_ZEEK** in the [autostart services](#HedgehogConfigAutostart) section. - -You'll be prompted to specify which engine(s) to use to analyze extracted files. Extracted files can be examined through any of three methods: - -![File scanners](./images/hedgehog/images/zeek_file_carve_scanners.png) - -* scanning files with [**ClamAV**](https://www.clamav.net/); to enable this method, select **ZEEK_FILE_SCAN_CLAMAV** when specifying scanners for Zeek-carved files -* submitting file hashes to [**VirusTotal**](https://www.virustotal.com/en/#search); to enable this method, select **ZEEK_FILE_SCAN_VTOT** when specifying scanners for Zeek-carved files, then manually edit `/opt/sensor/sensor_ctl/control_vars.conf` and specify your [VirusTotal API key](https://developers.virustotal.com/reference) in `VTOT_API2_KEY` -* scanning files with [**Yara**](https://github.com/VirusTotal/yara); to enable this method, select **ZEEK_FILE_SCAN_YARA** when specifying scanners for Zeek-carved files -* scanning portable executable (PE) files with [**Capa**](https://github.com/fireeye/capa); to enable this method, select **ZEEK_FILE_SCAN_CAPA** when specifying scanners for Zeek-carved files - -Files which are flagged as potentially malicious will be logged as Zeek `signatures.log` entries, and can be viewed in the **Signatures** dashboard in [OpenSearch Dashboards]({{ site.github.repository_url }}#DashboardsVisualizations) when forwarded to Malcolm. - -![File quarantine](./images/hedgehog/images/file_quarantine.png) - -Finally, you will be presented with the list of configuration variables that will be used for capture, including the values which you have configured up to this point in this section. Upon choosing **OK** these values will be written back out to the sensor configuration file located at `/opt/sensor/sensor_ctl/control_vars.conf`. It is not recommended that you edit this file manually. After confirming these values, you will be presented with a confirmation that these settings have been written to the configuration file, and you will be returned to the welcome screen. - -## Forwarding - -Select **Configure Forwarding** to set up forwarding logs and statistics from the sensor to an aggregator server, such as [Malcolm]({{ site.github.repository_url }}). - -![Configure forwarders](./images/hedgehog/images/forwarder_config.png) - -There are five forwarder services used on the sensor, each for forwarding a different type of log or sensor metric. - -## capture: Arkime session forwarding - -[capture](https://github.com/arkime/arkime/tree/master/capture) is not only used to capture PCAP files, but also the parse raw traffic into sessions and forward this session metadata to an [OpenSearch](https://opensearch.org/) database so that it can be viewed in [Arkime viewer](https://arkime.com/), whether standalone or as part of a [Malcolm]({{ site.github.repository_url }}) instance. If you're using Hedgehog Linux with Malcolm, please read [Correlating Zeek logs and Arkime sessions]({{ site.github.repository_url }}#ZeekArkimeFlowCorrelation) in the Malcolm documentation for more information. - -First, select the OpenSearch connection transport protocol, either **HTTPS** or **HTTP**. If the metrics are being forwarded to Malcolm, select **HTTPS** to encrypt messages from the sensor to the aggregator using TLS v1.2 using ECDHE-RSA-AES128-GCM-SHA256. If **HTTPS** is chosen, you must choose whether to enable SSL certificate verification. If you are using a self-signed certificate (such as the one automatically created during [Malcolm's configuration]({{ site.github.repository_url }}#configure-authentication)), choose **None**. - -![OpenSearch connection protocol](./images/hedgehog/images/opensearch_connection_protocol.png) ![OpenSearch SSL verification](./images/hedgehog/images/opensearch_ssl_verification.png) - -Next, enter the **OpenSearch host** IP address (ie., the IP address of the aggregator) and port. These metrics are written to an OpenSearch database using a RESTful API, usually using port 9200. Depending on your network configuration, you may need to open this port in your firewall to allow this connection from the sensor to the aggregator. - -![OpenSearch host and port](./images/hedgehog/images/arkime-capture-ip-port.png) - -You will be asked to enter authentication credentials for the sensor's connections to the aggregator's OpenSearch API. After you've entered the username and the password, the sensor will attempt a test connection to OpenSearch using the connection information provided. - -![OpenSearch username](./images/hedgehog/images/opensearch_username.png) ![OpenSearch password](./images/hedgehog/images/opensearch_password.png) ![Successful OpenSearch connection](./images/hedgehog/images/opensearch_connection_success.png) - -Finally, you will be shown a dialog for a list of IP addresses used to populate an access control list (ACL) for hosts allowed to connect back to the sensor for retrieving session payloads from its PCAP files for display in Arkime viewer. The list will be prepopulated with the IP address entered a few screens prior to this one. - -![PCAP retrieval ACL](./images/hedgehog/images/malcolm_arkime_reachback_acl.png) - -Finally, you'll be given the opportunity to review the all of the Arkime `capture` options you've specified. Selecting **OK** will cause the parameters to be saved and you will be returned to the configuration tool's welcome screen. - -![capture settings confirmation](./images/hedgehog/images/arkime_confirm.png) - -## filebeat: Zeek and Suricata log forwarding - -[Filebeat](https://www.elastic.co/products/beats/filebeat) is used to forward [Zeek](https://www.zeek.org/) and [Suricata](https://suricata.io/) logs to a remote [Logstash](https://www.elastic.co/products/logstash) instance for further enrichment prior to insertion into an [OpenSearch](https://opensearch.org/) database. - -To configure filebeat, first provide the log path (the same path previously configured for log file generation). - -![Configure filebeat for log forwarding](./images/hedgehog/images/filebeat_log_path.png) - -You must also provide the IP address of the Logstash instance to which the logs are to be forwarded, and the port on which Logstash is listening. These logs are forwarded using the Beats protocol, generally over port 5044. Depending on your network configuration, you may need to open this port in your firewall to allow this connection from the sensor to the aggregator. - -![Configure filebeat for log forwrading](./images/hedgehog/images/filebeat_ip_port.png) - -Next you are asked whether the connection used for log forwarding should be done **unencrypted** or over **SSL**. Unencrypted communication requires less processing overhead and is simpler to configure, but the contents of the logs may be visible to anyone who is able to intercept that traffic. - -![Filebeat SSL certificate verification](./images/hedgehog/images/filebeat_ssl.png) - -If **SSL** is chosen, you must choose whether to enable [SSL certificate verification](https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html). If you are using a self-signed certificate (such as the one automatically created during [Malcolm's configuration]({{ site.github.repository_url }}#configure-authentication), choose **None**. - -![Unencrypted vs. SSL encryption for log forwarding](./images/hedgehog/images/filebeat_ssl_verify.png) - -The last step for SSL-encrypted log forwarding is to specify the SSL certificate authority, certificate, and key files. These files must match those used by the Logstash instance receiving the logs on the aggregator. If Malcolm's `auth_setup` script was used to generate these files they would be found in the `filebeat/certs/` subdirectory of the Malcolm installation and must be manually copied to the sensor (stored under `/opt/sensor/sensor_ctl/logstash-client-certificates` or in any other path accessible to the sensor account). Specify the location of the certificate authorities file (eg., `ca.crt`), the certificate file (eg., `client.crt`), and the key file (eg., `client.key`). - -![SSL certificate files](./images/hedgehog/images/filebeat_certs.png) - -The Logstash instance receiving the events must be similarly configured with matching SSL certificate and key files. Under Malcolm, the `BEATS_SSL` variable must be set to `true` in Malcolm's `docker-compose.yml` file and the SSL files must exist in the `logstash/certs/` subdirectory of the Malcolm installation. - -Once you have specified all of the filebeat parameters, you will be presented with a summary of the settings related to the forwarding of these logs. Selecting **OK** will cause the parameters to be written to filebeat's configuration keystore under `/opt/sensor/sensor_ctl/logstash-client-certificates` and you will be returned to the configuration tool's welcome screen. - -![Confirm filebeat settings](./images/hedgehog/images/filebeat_confirm.png) - -## miscbeat: System metrics forwarding - -The sensor uses [Fluent Bit](https://fluentbit.io/) to gather miscellaneous system resource metrics (CPU, network I/O, disk I/O, memory utilization, temperature, etc.) and the [Beats](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) protocol to forward these metrics to a remote [Logstash](https://www.elastic.co/products/logstash) instance for further enrichment prior to insertion into an [OpenSearch](https://opensearch.org/) database. Metrics categories can be enabled/disabled as described in the [autostart services](#HedgehogConfigAutostart) section of this document. - -This forwarder's configuration is almost identical to that of [filebeat](#Hedgehogfilebeat) in the previous section. Select `miscbeat` from the forwarding configuration mode options and follow the same steps outlined above to set up this forwarder. - -## Autostart services - -Once the forwarders have been configured, the final step is to **Configure Autostart Services**. Choose this option from the configuration mode menu after the welcome screen of the sensor configuration tool. - -Despite configuring capture and/or forwarder services as described in previous sections, only services enabled in the autostart configuration will run when the sensor starts up. The available autostart processes are as follows (recommended services are in **bold text**): - -* **AUTOSTART_ARKIME** - [capture](#Hedgehogarkime-capture) PCAP engine for traffic capture, as well as traffic parsing and metadata insertion into OpenSearch for viewing in [Arkime](https://arkime.com/). If you are using Hedgehog Linux along with [Malcolm]({{ site.github.repository_url }}) or another Arkime installation, this is probably the packet capture engine you want to use. -* **AUTOSTART_CLAMAV_UPDATES** - Virus database update service for ClamAV (requires sensor to be connected to the internet) -* **AUTOSTART_FILEBEAT** - [filebeat](#Hedgehogfilebeat) Zeek and Suricata log forwarder -* **AUTOSTART_FLUENTBIT_AIDE** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/exec) [AIDE](https://aide.github.io/) file system integrity checks -* **AUTOSTART_FLUENTBIT_AUDITLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/tail) [auditd](https://man7.org/linux/man-pages/man8/auditd.8.html) logs -* *AUTOSTART_FLUENTBIT_KMSG* - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/kernel-logs) the Linux kernel log buffer (these are generally reflected in syslog as well, which may make this agent redundant) -* **AUTOSTART_FLUENTBIT_METRICS** - [Fluent Bit](https://fluentbit.io/) agent for collecting [various](https://docs.fluentbit.io/manual/pipeline/inputs) system resource and performance metrics -* **AUTOSTART_FLUENTBIT_SYSLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/syslog) Linux syslog messages -* **AUTOSTART_FLUENTBIT_THERMAL** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/thermal) system temperatures -* **AUTOSTART_MISCBEAT** - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) forwarder which sends system metrics collected by [Fluent Bit](https://fluentbit.io/) to a remote Logstash instance (e.g., [Malcolm]({{ site.github.repository_url }})'s) -* *AUTOSTART_NETSNIFF* - [netsniff-ng](http://netsniff-ng.org/) PCAP engine for saving packet capture (PCAP) files -* **AUTOSTART_PRUNE_PCAP** - storage space monitor to ensure that PCAP files do not consume more than 90% of the total size of the storage volume to which PCAP files are written -* **AUTOSTART_PRUNE_ZEEK** - storage space monitor to ensure that Zeek logs do not consume more than 90% of the total size of the storage volume to which Zeek logs are written -* **AUTOSTART_SURICATA** - [Suricata](https://suricata.io/) traffic analysis engine -* **AUTOSTART_SURICATA_UPDATES** - Rule update service for Suricata (requires sensor to be connected to the internet) -* *AUTOSTART_TCPDUMP* - [tcpdump](https://www.tcpdump.org/) PCAP engine for saving packet capture (PCAP) files -* **AUTOSTART_ZEEK** - [Zeek](https://www.zeek.org/) traffic analysis engine - -Note that only one packet capture engine ([capture](https://arkime.com/), [netsniff-ng](http://netsniff-ng.org/), or [tcpdump](https://www.tcpdump.org/)) can be used. - -![Autostart services](./images/hedgehog/images/autostarts.png) - -Once you have selected the autostart services, you will be prompted to confirm your selections. Doing so will cause these values to be written back out to the `/opt/sensor/sensor_ctl/control_vars.conf` configuration file. - -![Autostart services confirmation](./images/hedgehog/images/autostarts_confirm.png) - -After you have completed configuring the sensor it is recommended that you reboot the sensor to ensure all new settings take effect. If rebooting is not an option, you may click the **Restart Sensor Services** menu icon in the top menu bar, or open a terminal and run: - -``` -/opt/sensor/sensor_ctl/shutdown && sleep 10 && /opt/sensor/sensor_ctl/supervisor.sh -``` - -This will cause the sensor services controller to stop, wait a few seconds, and restart. You can check the status of the sensor's processes by choosing **Sensor Status** from the sensor's kiosk mode, clicking the **Sensor Service Status** toolbar icon, or running `/opt/sensor/sensor_ctl/status` from the command line: - -``` -$ /opt/sensor/sensor_ctl/status -arkime:arkime-capture RUNNING pid 6455, uptime 0:03:17 -arkime:arkime-viewer RUNNING pid 6456, uptime 0:03:17 -beats:filebeat RUNNING pid 6457, uptime 0:03:17 -beats:miscbeat RUNNING pid 6458, uptime 0:03:17 -clamav:clamav-service RUNNING pid 6459, uptime 0:03:17 -clamav:clamav-updates RUNNING pid 6461, uptime 0:03:17 -fluentbit-auditlog RUNNING pid 6463, uptime 0:03:17 -fluentbit-kmsg STOPPED Not started -fluentbit-metrics:cpu RUNNING pid 6466, uptime 0:03:17 -fluentbit-metrics:df RUNNING pid 6471, uptime 0:03:17 -fluentbit-metrics:disk RUNNING pid 6468, uptime 0:03:17 -fluentbit-metrics:mem RUNNING pid 6472, uptime 0:03:17 -fluentbit-metrics:mem_p RUNNING pid 6473, uptime 0:03:17 -fluentbit-metrics:netif RUNNING pid 6474, uptime 0:03:17 -fluentbit-syslog RUNNING pid 6478, uptime 0:03:17 -fluentbit-thermal RUNNING pid 6480, uptime 0:03:17 -netsniff:netsniff-enp1s0 STOPPED Not started -prune:prune-pcap RUNNING pid 6484, uptime 0:03:17 -prune:prune-zeek RUNNING pid 6486, uptime 0:03:17 -supercronic RUNNING pid 6490, uptime 0:03:17 -suricata RUNNING pid 6501, uptime 0:03:17 -tcpdump:tcpdump-enp1s0 STOPPED Not started -zeek:capa RUNNING pid 6553, uptime 0:03:17 -zeek:clamav RUNNING pid 6512, uptime 0:03:17 -zeek:logger RUNNING pid 6554, uptime 0:03:17 -zeek:virustotal STOPPED Not started -zeek:watcher RUNNING pid 6510, uptime 0:03:17 -zeek:yara RUNNING pid 6548, uptime 0:03:17 -zeek:zeekctl RUNNING pid 6502, uptime 0:03:17 -``` \ No newline at end of file diff --git a/docs/hedgehog-config-zeek-intel.md b/docs/hedgehog-config-zeek-intel.md deleted file mode 100644 index cef702d53..000000000 --- a/docs/hedgehog-config-zeek-intel.md +++ /dev/null @@ -1,7 +0,0 @@ -# Zeek Intelligence Framework - -To quote Zeek's [Intelligence Framework](https://docs.zeek.org/en/master/frameworks/intel.html) documentation, "The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item." Zeek [intelligence](https://docs.zeek.org/en/master/scripts/base/frameworks/intel/main.zeek.html) [indicator types](https://docs.zeek.org/en/master/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Type) include IP addresses, URLs, file names, hashes, email addresses, and more. - -Hedgehog Linux doesn't come bundled with intelligence files from any particular feed, but they can be easily included into your local instance. Before Zeek starts, Hedgehog Linux configures it such that intelligence files will be automatically included in its local policy. Subdirectories under `/opt/sensor/sensor_ctl/zeek/intel` which contain their own `__load__.zeek` file will be `@load`-ed as-is, while subdirectories containing "loose" intelligence files will be [loaded](https://docs.zeek.org/en/master/frameworks/intel.html#loading-intelligence) automatically with a `redef Intel::read_files` directive. - -Note that Hedgehog Linux does not manage updates for these intelligence files. You should use the update mechanism suggested by your feeds' maintainers to keep them up to date. Adding and deleting intelligence files under this directory will take effect upon restarting Zeek. \ No newline at end of file diff --git a/docs/hedgehog-config.md b/docs/hedgehog-config.md deleted file mode 100644 index 9fcb2fb4e..000000000 --- a/docs/hedgehog-config.md +++ /dev/null @@ -1,17 +0,0 @@ -# Configuration - -Kiosk mode can be exited by connecting an external USB keyboard and pressing **Alt+F4**, upon which the *sensor* user's desktop is shown. - -![Sensor login session desktop](./images/hedgehog/images/desktop.png) - -Several icons are available in the top menu bar: - -* **Terminal** - opens a command prompt in a terminal emulator -* **Browser** - opens a web browser -* **Kiosk** – returns the sensor to kiosk mode -* **README** – displays this document -* **Sensor status** – displays a list with the status of each sensor service -* **Configure capture and forwarding** – opens a dialog for configuring the sensor's capture and forwarding services, as well as specifying which services should autostart upon boot -* **Configure interfaces and hostname** – opens a dialog for configuring the sensor's network interfaces and setting the sensor's hostname -* **Restart sensor services** - stops and restarts all of the [autostart services](hedgehog-config-user.md#HedgehogConfigAutostart) - diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md index 884995b0c..dcf35e219 100644 --- a/docs/hedgehog-iso-build.md +++ b/docs/hedgehog-iso-build.md @@ -29,7 +29,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu ``` … -Finished, created "/sensor-build/hedgehog-23.04.0.iso" +Finished, created "/sensor-build/hedgehog-23.05.0.iso" … ``` diff --git a/docs/hedgehog-upgrade.md b/docs/hedgehog-upgrade.md index 512b9af33..6c7e69e29 100644 --- a/docs/hedgehog-upgrade.md +++ b/docs/hedgehog-upgrade.md @@ -315,7 +315,7 @@ sensor@hedgehog:opt$ for BEAT in filebeat miscbeat; do cp /opt/sensor_upgrade_ba sensor@hedgehog:opt$ cp /opt/sensor_upgrade_backup_2020-05-07/sensor_ctl/filebeat/{ca.crt,client.crt,client.key} /opt/sensor/sensor_ctl/logstash-client-certificates/ ``` -24. Despite what we just did, you may consider running `capture-config` to re-configure [capture, forwarding, and autostart services](hedgehog-config-user.md#HedgehogConfigUser) from scratch anyway. You can use the backed-up version of `control_vars.conf` to refer back to as a basis for things you might want to restore (e.g., `CAPTURE_INTERFACE`, `CAPTURE_FILTER`, `PCAP_PATH`, `ZEEK_LOG_PATH`, your autostart settings, etc.). +24. Despite what we just did, you may consider running `capture-config` to re-configure [capture, forwarding, and autostart services](malcolm-hedgehog-e2e-iso-install.md#HedgehogInstallAndConfig) from scratch anyway. You can use the backed-up version of `control_vars.conf` to refer back to as a basis for things you might want to restore (e.g., `CAPTURE_INTERFACE`, `CAPTURE_FILTER`, `PCAP_PATH`, `ZEEK_LOG_PATH`, your autostart settings, etc.). 25. Once you feel confident you've completed all of these steps, issue a reboot on the Hedgehog diff --git a/docs/hedgehog.md b/docs/hedgehog.md index 8464427f6..a9d95ba9e 100644 --- a/docs/hedgehog.md +++ b/docs/hedgehog.md @@ -19,19 +19,17 @@ Hedgehog Linux is a Debian-based operating system built to - [Installer](hedgehog-installation.md#HedgehogInstaller) * [Boot](hedgehog-boot.md#HedgehogBoot) - [Kiosk mode](hedgehog-boot.md#HedgehogKioskMode) -* [Configuration](hedgehog-config.md#HedgehogConfiguration) - - [Interfaces, hostname, and time synchronization](hedgehog-config-root.md#HedgehogConfigRoot) - + [Hostname](hedgehog-config-root.md#HedgehogConfigHostname) - + [Interfaces](hedgehog-config-root.md#HedgehogConfigIface) - + [Time synchronization](hedgehog-config-root.md#HedgehogConfigTime) - - [Capture, forwarding, and autostart services](hedgehog-config-user.md#HedgehogConfigUser) - + [Capture](hedgehog-config-user.md#HedgehogConfigCapture) - * [Automatic file extraction and scanning](hedgehog-config-user.md#HedgehogZeekFileExtraction) - + [Forwarding](hedgehog-config-user.md#HedgehogConfigForwarding) - * [arkime-capture](hedgehog-config-user.md#Hedgehogarkime-capture): Arkime session forwarding - * [filebeat](hedgehog-config-user.md#Hedgehogfilebeat): Zeek and Suricata log forwarding - * [miscbeat](hedgehog-config-user.md#Hedgehogmiscbeat): System metrics forwarding - + [Autostart services](hedgehog-config-user.md#HedgehogConfigAutostart) +* [Configuration](malcolm-hedgehog-e2e-iso-install.md#HedgehogInstallAndConfig) + - [Configure Hostname, Interfaces and Time Sync](malcolm-hedgehog-e2e-iso-install.md#HedgehogInterfaces) + - [Configure Capture](malcolm-hedgehog-e2e-iso-install.md#HedgehogCapture) + + [Capture](malcolm-hedgehog-e2e-iso-install.md#HedgehogConfigCapture) + + [File extraction and scanning](malcolm-hedgehog-e2e-iso-install.md#HedgehogZeekFileExtraction) + - [Configure Forwarding](malcolm-hedgehog-e2e-iso-install.md#HedgehogConfigForwarding) + * [arkime-capture](malcolm-hedgehog-e2e-iso-install.md#Hedgehogarkime-capture): Arkime session forwarding + * [ssl-client-receive](malcolm-hedgehog-e2e-iso-install.md#HedgehogGetCerts): Receive client SSL files for filebeat from Malcolm + * [filebeat](malcolm-hedgehog-e2e-iso-install.md#Hedgehogfilebeat): Zeek and Suricata log forwarding + * [miscbeat](malcolm-hedgehog-e2e-iso-install.md#Hedgehogmiscbeat): System metrics forwarding + - [Autostart services](malcolm-hedgehog-e2e-iso-install.md#HedgehogConfigAutostart) + [Zeek Intelligence Framework](hedgehog-config-zeek-intel.md#HedgehogZeekIntel) * [Appendix A - Generating the ISO](hedgehog-iso-build.md#HedgehogISOBuild) * [Appendix B - Configuring SSH access](hedgehog-ssh.md#HedgehogConfigSSH) diff --git a/docs/host-and-subnet-mapping.md b/docs/host-and-subnet-mapping.md deleted file mode 100644 index 288e87f06..000000000 --- a/docs/host-and-subnet-mapping.md +++ /dev/null @@ -1,52 +0,0 @@ -# Automatic host and subnet name assignment - -* [Automatic host and subnet name assignment](host-and-subnet-mapping.md#HostAndSubnetNaming) - - [Defining hostname and CIDR subnet names interface](host-and-subnet-mapping.md#NameMapUI) - - [Applying mapping changes](host-and-subnet-mapping.md#ApplyMapping) - - [IP/MAC address to hostname mapping](host-and-subnet-mapping.md#HostNaming) - - [CIDR subnet to network segment name mapping](host-and-subnet-mapping.md#SegmentNaming) - -## Defining hostname and CIDR subnet names interface - -A **Host and Subnet Name Mapping** editor is available at [https://localhost/name-map-ui/](https://localhost/name-map-ui/) if you are connecting locally. Upon loading, the editor is populated from `net-map.json`. - -This editor provides the following controls: - -* 🔎 **Search mappings** - narrow the list of visible items using a search filter -* **Type**, **Address** and **Name** *(column headings)* - sort the list of items by clicking a column header -* 📝 *(per item)* - modify the selected item -* 🚫 *(per item)* - remove the selected item -* 🖳 **host** / 🖧 **segment**, **Address**, **Name** and 💾 - save the item with these values (either adding a new item or updating the item being modified) -* 📥 **Import** - clear the list and replace it with the contents of an uploaded `net-map.json` file -* 📤 **Export** - format and download the list as a `net-map.json` file -* 💾 **Save Mappings** - format and store `net-map.json` in the Malcolm directory (replacing the existing `net-map.json` file) -* 🔁 **Restart Logstash** - restart log ingestion, parsing and enrichment - -![Host and Subnet Name Mapping Editor](./images/screenshots/malcolm_name_map_ui.png) - -## Applying mapping changes - -When changes are made to `net-map.json`, Malcolm's Logstash container must be restarted. The easiest way to do this is to restart malcolm via `restart` (see [Stopping and restarting Malcolm](running.md#StopAndRestart)) or by clicking the 🔁 **Restart Logstash** button in the [name mapping interface](#NameMapUI) interface. - -Restarting Logstash may take several minutes, after which log ingestion will be resumed. - -## IP/MAC address to hostname mapping - -The editor described above can be used to define names for network devices based on IP and/or MAC addresses in Zeek logs. A device is identified by its address(es) and name. - -As Zeek logs are processed into Malcolm's OpenSearch instance, the log's source and destination IP and MAC address fields (`source.ip`, `destination.ip`, `source.mac`, and `destination.mac`, respectively) are compared against the address-to-name map. When a match is found, a new field is added to the log: `source.device` or `destination.device`, depending on whether the matching address belongs to the originating or responding host. - -`source.device` and `destination.device` may each contain multiple values. For example, if both a host's source IP address and source MAC address were matched by two different lines, `source.device` would contain the name from both matching lines. - -## CIDR subnet to network segment name mapping - -The editor described above can be also used to define names for network segments based on IP addresses in Zeek logs. A network segment is defined by its CIDR-formatted subnet IP range(s) and subnet name. - -As Zeek logs are processed into Malcolm's OpenSearch instance, the log's source and destination IP address fields (`source.ip` and `destination.ip`, respectively) are compared against the address-to-subnet map. When a match is found, a new field is added to the log: `source.segment` or `destination.segment`, depending on whether the matching address belongs to the originating or responding host. - -`source.segment` and `destination.segment` may each contain multiple values. For example, overlapping subnets are defined, `source.segment` would contain the subnet values for both if `source.ip` belonged to both subnets. - -If both `source.segment` and `destination.segment` are added to a log, and if they contain different values, the tag `cross_segment` will be added to the log's `tags` field for convenient identification of cross-segment traffic. This traffic could be easily visualized using Arkime's **Connections** graph, by setting the **Src:** value to **Originating Network Segment** and the **Dst:** value to **Responding Network Segment**: - -![Cross-segment traffic in Connections](./images/screenshots/arkime_connections_segments.png) - diff --git a/docs/host-config-windows.md b/docs/host-config-windows.md index c024bf79d..9545bea36 100644 --- a/docs/host-config-windows.md +++ b/docs/host-config-windows.md @@ -13,4 +13,4 @@ Installing and configuring [Docker to run under Windows](https://docs.docker.com ## Finish Malcolm's configuration -Once Docker is installed, configured and running as described in the previous section, run [`./scripts/install.py --configure`](malcolm-config.md#ConfigAndTuning) to finish configuration of the local Malcolm installation. Malcolm will be controlled and run from within your WSL distribution's terminal environment. \ No newline at end of file +Once Docker is installed, configured and running as described in the previous section, run [`./scripts/configure`](malcolm-config.md#ConfigAndTuning) to finish configuration of the local Malcolm installation. Malcolm will be controlled and run from within your WSL distribution's terminal environment. \ No newline at end of file diff --git a/docs/ics-best-guess.md b/docs/ics-best-guess.md index 08f5bb0c9..4e7ee6a6e 100644 --- a/docs/ics-best-guess.md +++ b/docs/ics-best-guess.md @@ -8,4 +8,4 @@ Naturally, these lookups could produce false positives, so these connections are ![](./images/screenshots/dashboards_bestguess.png) -This feature is disabled by default, but it can be enabled by clearing (setting to `''`) the value of the `ZEEK_DISABLE_BEST_GUESS_ICS` environment variable in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml). \ No newline at end of file +This feature is disabled by default, but it can be enabled by clearing (setting to `''`) the value of the `ZEEK_DISABLE_BEST_GUESS_ICS` [environment variable in `zeek.env`](malcolm-config.md#MalcolmConfigEnvVars). \ No newline at end of file diff --git a/docs/images/hedgehog/images/forwarder_config.png b/docs/images/hedgehog/images/forwarder_config.png index 4a4d0f2e3..b20139db3 100644 Binary files a/docs/images/hedgehog/images/forwarder_config.png and b/docs/images/hedgehog/images/forwarder_config.png differ diff --git a/docs/images/hedgehog/images/pcap_compression.png b/docs/images/hedgehog/images/pcap_compression.png new file mode 100644 index 000000000..0992069a3 Binary files /dev/null and b/docs/images/hedgehog/images/pcap_compression.png differ diff --git a/docs/images/hedgehog/images/ssl_client_receive.png b/docs/images/hedgehog/images/ssl_client_receive.png new file mode 100644 index 000000000..53ad7a48f Binary files /dev/null and b/docs/images/hedgehog/images/ssl_client_receive.png differ diff --git a/docs/images/hedgehog/images/ssl_client_receive_code.png b/docs/images/hedgehog/images/ssl_client_receive_code.png new file mode 100644 index 000000000..bf903d69f Binary files /dev/null and b/docs/images/hedgehog/images/ssl_client_receive_code.png differ diff --git a/docs/images/hedgehog/images/ssl_client_transmit.png b/docs/images/hedgehog/images/ssl_client_transmit.png new file mode 100644 index 000000000..f3fd88e2d Binary files /dev/null and b/docs/images/hedgehog/images/ssl_client_transmit.png differ diff --git a/docs/images/screenshots/arkime_sessions_node_filter.png b/docs/images/screenshots/arkime_sessions_node_filter.png new file mode 100644 index 000000000..97a327d97 Binary files /dev/null and b/docs/images/screenshots/arkime_sessions_node_filter.png differ diff --git a/docs/images/screenshots/iso_install_auth_setup.png b/docs/images/screenshots/iso_install_auth_setup.png new file mode 100644 index 000000000..8fea88555 Binary files /dev/null and b/docs/images/screenshots/iso_install_auth_setup.png differ diff --git a/docs/images/screenshots/iso_install_boot_menu_bios.png b/docs/images/screenshots/iso_install_boot_menu_bios.png new file mode 100644 index 000000000..9de7b2108 Binary files /dev/null and b/docs/images/screenshots/iso_install_boot_menu_bios.png differ diff --git a/docs/images/screenshots/iso_install_boot_menu_efi.png b/docs/images/screenshots/iso_install_boot_menu_efi.png new file mode 100644 index 000000000..95c012fc8 Binary files /dev/null and b/docs/images/screenshots/iso_install_boot_menu_efi.png differ diff --git a/docs/images/screenshots/iso_install_dd_linux.png b/docs/images/screenshots/iso_install_dd_linux.png new file mode 100644 index 000000000..4bfbd6b06 Binary files /dev/null and b/docs/images/screenshots/iso_install_dd_linux.png differ diff --git a/docs/images/screenshots/iso_install_etcher_macos.png b/docs/images/screenshots/iso_install_etcher_macos.png new file mode 100644 index 000000000..251b48a8e Binary files /dev/null and b/docs/images/screenshots/iso_install_etcher_macos.png differ diff --git a/docs/images/screenshots/iso_install_malcolm_iso_menu_1.png b/docs/images/screenshots/iso_install_malcolm_iso_menu_1.png new file mode 100644 index 000000000..1494f6899 Binary files /dev/null and b/docs/images/screenshots/iso_install_malcolm_iso_menu_1.png differ diff --git a/docs/images/screenshots/iso_install_malcolm_iso_menu_2.png b/docs/images/screenshots/iso_install_malcolm_iso_menu_2.png new file mode 100644 index 000000000..e459b9ebc Binary files /dev/null and b/docs/images/screenshots/iso_install_malcolm_iso_menu_2.png differ diff --git a/docs/images/screenshots/malcolm_desktop.png b/docs/images/screenshots/malcolm_desktop.png new file mode 100644 index 000000000..a93168d43 Binary files /dev/null and b/docs/images/screenshots/malcolm_desktop.png differ diff --git a/docs/images/screenshots/malcolm_first_boot_config.png b/docs/images/screenshots/malcolm_first_boot_config.png new file mode 100644 index 000000000..f207485b8 Binary files /dev/null and b/docs/images/screenshots/malcolm_first_boot_config.png differ diff --git a/docs/images/screenshots/malcolm_name_map_ui.png b/docs/images/screenshots/malcolm_name_map_ui.png deleted file mode 100644 index 0026a4184..000000000 Binary files a/docs/images/screenshots/malcolm_name_map_ui.png and /dev/null differ diff --git a/docs/index-management.md b/docs/index-management.md index 2277fbd07..19441fb4f 100644 --- a/docs/index-management.md +++ b/docs/index-management.md @@ -2,6 +2,6 @@ Malcolm releases prior to v6.2.0 used environment variables to configure OpenSearch [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) [policies](https://opensearch.org/docs/latest/im-plugin/ism/policies/). -Since then, OpenSearch Dashboards has developed and released plugins with UIs for [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/). Because these plugins provide a more comprehensive and user-friendly interfaces for these features, the old environment variable-based configuration code has been removed from Malcolm, with the exception of the code that uses `OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT` and `OPENSEARCH_INDEX_SIZE_PRUNE_NAME_SORT` which deals with deleting the oldest network session metadata indices when the database exceeds a certain size. +Since then, OpenSearch Dashboards has developed and released plugins with UIs for [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/). Because these plugins provide a more comprehensive and user-friendly interfaces for these features, the old environment variable-based configuration code has been removed from Malcolm, with the exception of the code that uses the `OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT` and `OPENSEARCH_INDEX_SIZE_PRUNE_NAME_SORT` [variables in `dashboards-helper.env`](malcolm-config.md#MalcolmConfigEnvVars) and which deals with deleting the oldest network session metadata indices when the database exceeds a certain size. -Note that OpenSearch index state management and snapshot management only deals with disk space consumed by OpenSearch indices: it does not have anything to do with PCAP file storage. The `MANAGE_PCAP_FILES` environment variable in the [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) file can be used to allow Arkime to prune old PCAP files based on available disk space. \ No newline at end of file +Note that OpenSearch index state management and snapshot management only deals with disk space consumed by OpenSearch indices: it does not have anything to do with PCAP file storage. The `MANAGE_PCAP_FILES` environment variable in the [`arkime.env` file](malcolm-config.md#MalcolmConfigEnvVars) can be used to allow Arkime to prune old PCAP files based on available disk space. \ No newline at end of file diff --git a/docs/kubernetes.md b/docs/kubernetes.md new file mode 100644 index 000000000..e743c10b5 --- /dev/null +++ b/docs/kubernetes.md @@ -0,0 +1,599 @@ +# Deploying Malcolm with Kubernetes + +* [Deploying Malcolm with Kubernetes](#Kubernetes) + - [System](#System) + + [Ingress Controller](#Ingress) + + [Kubernetes Provider Settings](#Limits) +* [Configuration](#Config) + - [OpenSearch Instances](#OpenSearchInstances) + - [PersistentVolumeClaim Definitions](#PVC) +* [Running Malcolm](#Running) +* [Deployment Example](#Example) +* [Future Enhancements](#Future) + - [Live Traffic Analysis](#FutureLiveCap) + - [Horizontal Scaling](#FutureScaleOut) + - [Helm Chart](#FutureHelmChart) + +## System + +### Ingress Controller + +Malcolm's [ingress controller manifest]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/00-ingress.yml) uses the [Ingress-NGINX controller for Kubernetes](https://github.com/kubernetes/ingress-nginx). A few Malcolm features require some customization when installing and configuring the Ingress-NGINX controller: + +* To [forward](malcolm-hedgehog-e2e-iso-install.md#HedgehogConfigForwarding) logs from a remote instance of [Hedgehog Linux](hedgehog.md): + - See ["Exposing TCP and UDP services"](https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/) in the Ingress-NGINX documentation. + - You must configure the controller to start up with the `--tcp-services-configmap=ingress-nginx/tcp-services` flag: + ``` + apiVersion: apps/v1 + kind: Deployment + metadata: + … + name: ingress-nginx-controller + namespace: ingress-nginx + spec: + … + template: + … + spec: + containers: + + args: + + /nginx-ingress-controller + + --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + + --election-id=ingress-nginx-leader + + --controller-class=k8s.io/ingress-nginx + + --ingress-class=nginx + + --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + + --validating-webhook=:8443 + + --validating-webhook-certificate=/usr/local/certificates/cert + + --validating-webhook-key=/usr/local/certificates/key + + --enable-ssl-passthrough + + --tcp-services-configmap=ingress-nginx/tcp-services + … + ``` + + - You must add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` load-balancer service definition: + ``` + --- + apiVersion: v1 + kind: Service + metadata: + … + name: ingress-nginx-controller + namespace: ingress-nginx + spec: + externalTrafficPolicy: Local + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + - appProtocol: tcp + name: lumberjack + port: 5044 + targetPort: 5044 + protocol: TCP + - appProtocol: tcp + name: tcpjson + port: 5045 + targetPort: 5045 + protocol: TCP + - appProtocol: tcp + name: opensearch + port: 9200 + targetPort: 9200 + protocol: TCP + … + type: LoadBalancer + ``` + + - You must add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` deployment container's definition: + ``` + apiVersion: apps/v1 + kind: Deployment + metadata: + … + name: ingress-nginx-controller + namespace: ingress-nginx + spec: + … + template: + … + spec: + containers: + … + ports: + * containerPort: 80 + name: http + protocol: TCP + * containerPort: 443 + name: https + protocol: TCP + * containerPort: 8443 + name: webhook + protocol: TCP + * name: lumberjack + containerPort: 5044 + protocol: TCP + * name: tcpjson + containerPort: 5045 + protocol: TCP + * name: opensearch + containerPort: 9200 + protocol: TCP + … + ``` + +* To use [SSL Passthrough](https://kubernetes.github.io/ingress-nginx/user-guide/tls/) to have the Kubernetes gateway use Malcolm's TLS certificates rather than its own: + - You must configure the controller to start up with the `--enable-ssl-passthrough` flag. + ``` + apiVersion: apps/v1 + kind: Deployment + metadata: + … + name: ingress-nginx-controller + namespace: ingress-nginx + spec: + … + template: + … + spec: + containers: + * args: + * /nginx-ingress-controller + * --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + * --election-id=ingress-nginx-leader + * --controller-class=k8s.io/ingress-nginx + * --ingress-class=nginx + * --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + * --validating-webhook=:8443 + * --validating-webhook-certificate=/usr/local/certificates/cert + * --validating-webhook-key=/usr/local/certificates/key + * --enable-ssl-passthrough + * --tcp-services-configmap=ingress-nginx/tcp-services + … + ``` + + - You must modify Malcolm's [ingress controller manifest]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/00-ingress.yml) to specify the `host:` value and use [host-based routing](https://kubernetes.github.io/ingress-nginx/user-guide/basic-usage/): + + ``` + … + spec: + rules: + + host: malcolm.example.org + http: + paths: + + path: / + pathType: Prefix + backend: + service: + name: nginx-proxy + port: + number: 443 + … + ``` + +### Kubernetes Provider Settings + +OpenSearch has some [important settings](https://opensearch.org/docs/latest/install-and-configure/install-opensearch/index/#important-settings) that must be present on its underlying Linux system. How this settings are configured depends largely on the underlying host(s) running Kubernetes, how Kubernetes is installed or the cloud provider on which it is running. Consult your operating system or cloud provider documentation for how to configure these settings. + +Settings which likely need to be changed in the underlying host running Kubernetes include: + +* System settings (e.g., in `/etc/sysctl.conf`) + ``` + # the maximum number of memory map areas a process may have + vm.max_map_count=262144 + ``` +* System limits (e.g., in `/etc/security/limits.d/limits.conf`) + ``` + + soft nofile 65535 + + hard nofile 65535 + + soft memlock unlimited + + hard memlock unlimited + + soft nproc 262144 + + hard nproc 524288 + + soft core 0 + + hard core 0 + ``` + +## Configuration + +The steps to configure and tune Malcolm for a Kubernetes deployment are [very similar](malcolm-config.md#ConfigAndTuning) to those for a Docker-based deployment. Both methods use [environment variable files](malcolm-config.md#MalcolmConfigEnvVars) for Malcolm's runtime configuration. + +Malcolm's configuration and runtime scripts (e.g., `./scripts/configure`, `./scripts/auth_setup`, `./scripts/start`, etc.) are used for both Docker- and Kubernetes-based deployments. To indicate to these scripts that you're working with Kubernetes rather than `docker-compose`, provide the script with the [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) used to communicate with the API server of the Kubernetes cluster (e.g., `./scripts/configure -f k3s.yaml` or `./scripts/start -f kubeconfig.yaml`, etc.). The scripts will detect whether the YAML file specified is a kubeconfig file or a Docker compose file and act accordingly. + +Run `./scripts/configure` and answer the questions to configure Malcolm. For an in-depth treatment of these configuration questions, see the **Configuration** section in **[End-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig)**. You'll also need to run [`./scripts/auth_setup`](authsetup.md#AuthSetup) to configure authentication. + +### OpenSearch Instances + +While Malcolm can manage its own single-node OpenSearch instance as part of its Kubernetes deployment, it's likely you'll want to use an existing multi-node OpenSearch cluster hosted on Kubernetes or some other provider (see, for example, ["Setup OpenSearch multi-node cluster on Kubernetes using Helm Charts"](https://opensearch.org/blog/setup-multinode-cluster-kubernetes/) on the OpenSearch blog and ["OpenSearch Kubernetes Operator"](https://opensearch.org/docs/latest/tools/k8s-operator/) in the OpenSearch documentation). Review Malcolm's documentation on [OpenSearch instances](opensearch-instances.md#OpenSearchInstance) to configure your Malcolm deployment to use an OpenSearch cluster. + +### PersistentVolumeClaim Definitions + +Malcolm requires persistent [storage](https://kubernetes.io/docs/concepts/storage/) to be configured for its configuration and data files. There are various implementations for provisioning PersistentVolume resources using [storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/). Regardless of the types of storage underlying the PersistentVolumes, Malcolm requires the following PersistentVolumeClaims to be defined in the `malcolm` namespace: + +* `config-claim` - storage for configuration files +* `opensearch-backup-claim` - storage for OpenSearch snapshots (if using a local [OpenSearch instance](opensearch-instances.md#OpenSearchInstance)) +* `opensearch-claim` - storage for OpenSearch indices (if using a local [OpenSearch instance](opensearch-instances.md#OpenSearchInstance)) +* `pcap-claim` - storage for PCAP artifacts +* `runtime-logs-claim` - storage for runtime logs for some containers (e.g., nginx, Arkime) +* `suricata-claim` - storage for Suricata logs +* `zeek-claim` - storage for Zeek logs and files extracted by Zeek + +An example of how these PersistentVolume and PersistentVolumeClaim objects could be defined in the [kubernetes/01-volumes.yml.example]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/01-volumes.yml.example) manifest file. Before [running](#Running) Malcolm, copy the `01-volumes.yml.example` file to `01-volumes.yml` and modify (or replace) its contents to define your PersistentVolumeClaim objects. + +If you attempt to start Malcolm without these PersistentVolumeClaims defined in a YAML file in Malcolm's `./kubernetes/` directory, you'll get an error like this: + +``` +$ ./scripts/start -f /path/to/kubeconfig.yml +Exception: Storage objects required by Malcolm are not defined in /home/user/Malcolm/kubernetes: {'PersistentVolumeClaim': ['pcap-claim', 'zeek-claim', 'suricata-claim', 'config-claim', 'runtime-logs-claim', 'opensearch-claim', 'opensearch-backup-claim']} +``` + +## Running Malcolm + +After you've [configured](#Config) Malcolm, use the `./scripts/start` script to create the Malcolm Kubernetes deployment, providing your kubeconfig file with the `-f`/`--file` argument: + +``` +$ ./scripts/start -f /path/to/kubeconfig.yml +``` + +The Kubernetes resources under the `malcolm` namespace (its pods, storage volumes, containers, etc.) will be initialized and started using the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/), including: + +* creating [ConfigMap objects](https://kubernetes.io/docs/concepts/configuration/configmap/) and [Secret objects](https://kubernetes.io/docs/concepts/configuration/secret/) from Malcolm's [environment variable files](malcolm-config.md#MalcolmConfigEnvVars) +* creating [ConfigMap objects](https://kubernetes.io/docs/concepts/configuration/configmap/) and [Secret objects](https://kubernetes.io/docs/concepts/configuration/secret/) from other configuration files stored locally below the Malcolm directory +* deploying the objects defined in the [Kubernetes manifests]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/) in `./kubernetes` + +After a few moments you can check the status of the deployment: + +``` +$ ./scripts/status -f /path/to/kubeconfig.yml +Node Name | Hostname | IP | Provider ID | Instance Type | Total CPU | CPU Usage | Percent CPU | Total Memory | Memory Usage | Total Storage | Current Pods | +server | server | 192.168.56.10 | server | k3s | 4000m | 30.37m | 0.76% | 7.77Gi | 1.2Gi | 61.28Gi | 7 | +agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | 156.42m | 2.61% | 19.55Gi | 14.47Gi | 61.28Gi | 13 | +agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | 861.34m | 14.36% | 19.55Gi | 9.29Gi | 61.28Gi | 11 | + +Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | +api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:23.05.0 | +file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:23.05.0 | +zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:23.05.0 | +dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:23.05.0 | +upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:23.05.0 | +filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:23.05.0 | +zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:23.05.0 | +logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:23.05.0 | +netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:23.05.0 | +suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:23.05.0 | +dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:23.05.0 | +netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:23.05.0 | +suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:23.05.0 | +freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:23.05.0 | +arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:23.05.0 | +pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:23.05.0 | +pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:23.05.0 | +netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:23.05.0 | +htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:23.05.0 | +netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:23.05.0 | +nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:23.05.0 | +opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:23.05.0 | +``` + +The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes. + +Malcolm's control scripts require the [official Python 3 client library for Kubernetes](https://github.com/kubernetes-client/python) to configure and run Malcolm with Kubernetes. It is also recommended to install **[stern](https://github.com/stern/stern)**, which is used by the `./scripts/logs` script to tail Malcolm's container logs. + +# Deployment Example + +Here's a basic step-by-step example illustrating how to deploy Malcolm with Kubernetes. For the sake of simplicity, this example uses vagrant (see [kubernetes/vagrant/Vagrantfile]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/vagrant/Vagrantfile)) to create a virtualized Kubernetes cluster with one control plane node and two worker nodes. It assumes you've downloaded and extracted the [release tarball]({{ site.github.repository_url }}/releases) or used `./scripts/malcolm_appliance_packager.sh` to package up the files needed to run Malcolm. + +``` +$ ls -l +total 45,056 +drwxr-xr-x 2 user user 6 Apr 24 14:35 arkime-logs +drwxr-xr-x 2 user user 6 Apr 24 14:35 arkime-raw +drwxr-xr-x 2 user user 4,096 Apr 24 14:35 config +drwxr-xr-x 3 user user 19 Apr 24 14:35 filebeat +drwxr-xr-x 2 user user 6 Apr 24 14:35 htadmin +drwxr-xr-x 3 user user 4,096 Apr 24 14:39 kubernetes +drwxr-xr-x 4 user user 31 Apr 24 14:35 logstash +drwxr-xr-x 6 user user 62 Apr 24 14:35 netbox +drwxr-xr-x 4 user user 35 Apr 24 14:35 nginx +drwxr-xr-x 3 user user 19 Apr 24 14:35 opensearch +drwxr-xr-x 2 user user 6 Apr 24 14:35 opensearch-backup +drwxr-xr-x 4 user user 37 Apr 24 14:35 pcap +drwxr-xr-x 2 user user 4,096 Apr 24 14:35 scripts +drwxr-xr-x 3 user user 19 Apr 24 14:35 suricata +drwxr-xr-x 3 user user 18 Apr 24 14:35 suricata-logs +drwxr-xr-x 3 user user 19 Apr 24 14:35 yara +drwxr-xr-x 3 user user 19 Apr 24 14:35 zeek +drwxr-xr-x 7 user user 85 Apr 24 14:35 zeek-logs +-rw-r--r-- 1 user user 18,761 Apr 24 14:35 docker-compose.yml +-rw-r--r-- 1 user user 2 Apr 24 14:35 net-map.json +-rw-r--r-- 1 user user 3,453 Apr 24 14:35 README.md +``` + +Even before starting Malcolm, we can use the `status` script to make sure we're communicating with the Kubernetes cluster: + +``` +$ ./scripts/status -f /path/to/kubeconfig.yaml +Node Name | Hostname | IP | Provider ID | Instance Type | Total CPU | CPU Usage | Percent CPU | Total Memory | Memory Usage | Total Storage | Current Pods | +agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | 32.06m | 0.53% | 19.55Gi | 346.3Mi | 61.28Gi | 1 | +agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | 26.7m | 0.45% | 19.55Gi | 353.2Mi | 61.28Gi | 1 | +server | server | 192.168.56.10 | server | k3s | 4000m | 290.15m | 7.25% | 7.77Gi | 1.04Gi | 61.28Gi | 7 | + +Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | +``` + +Run `./scripts/configure` and answer the questions to configure Malcolm. For an in-depth treatment of these configuration questions, see the **Configuration** section in **[End-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig)**: + + +``` +$ ./scripts/configure -f /path/to/kubeconfig.yaml + +Malcolm processes will run as UID 1000 and GID 1000. Is this OK? (Y/n): y + +Should Malcolm use and maintain its own OpenSearch instance? (Y/n): y + +Compress OpenSearch index snapshots? (y/N): n + +Forward Logstash logs to a secondary remote OpenSearch instance? (y/N): n + +Setting 16g for OpenSearch and 3g for Logstash. Is this OK? (Y/n): y + +Setting 6 workers for Logstash pipelines. Is this OK? (Y/n): y + +Require encrypted HTTPS connections? (Y/n): y + +1: Basic +2: Lightweight Directory Access Protocol (LDAP) +3: None +Select authentication method (Basic): 1 + +Delete the oldest indices when the database exceeds a certain size? (y/N): y + +Enter index threshold (e.g., 250GB, 1TB, 60%, etc.): 250G + +Determine oldest indices by name (instead of creation time)? (Y/n): y + +Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y/N): y + +Automatically analyze all PCAP files with Suricata? (Y/n): y + +Download updated Suricata signatures periodically? (y/N): y + +Automatically analyze all PCAP files with Zeek? (Y/n): y + +Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek? (y/N): n + +Perform reverse DNS lookup locally for source and destination IP addresses in logs? (y/N): n + +Perform hardware vendor OUI lookups for MAC addresses? (Y/n): y + +Perform string randomness scoring on some fields? (Y/n): y + +Use default field values for Filebeat TCP listener? (Y/n): y + +Enable file extraction with Zeek? (y/N): y +1: none +2: known +3: mapped +4: all +5: interesting + +Select file extraction behavior (none): 5 +1: quarantined +2: all +3: none +Select file preservation behavior (quarantined): 1 + +Expose web interface for downloading preserved files? (y/N): y + +Enter AES-256-CBC encryption password for downloaded preserved files (or leave blank for unencrypted): quarantined + +Scan extracted files with ClamAV? (Y/n): y + +Scan extracted files with Yara? (Y/n): y + +Scan extracted PE files with Capa? (Y/n): y + +Lookup extracted file hashes with VirusTotal? (y/N): n + +Download updated file scanner signatures periodically? (y/N): y + +Should Malcolm run and maintain an instance of NetBox, an infrastructure resource modeling tool? (y/N): y + +Should Malcolm enrich network traffic using NetBox? (Y/n): y + +Specify default NetBox site name: Malcolm + +Enable dark mode for OpenSearch Dashboards? (Y/n): y + +Malcolm has been installed to /home/user/Malcolm. See README.md for more information. + +Scripts for starting and stopping Malcolm and changing authentication-related settings can be found in /home/user/Malcolm/scripts. +``` + +Run `./scripts/auth_setup` and answer the questions to [configure authentication](authsetup.md#AuthSetup): + +``` +$ ./scripts/auth_setup -f /path/to/kubeconfig.yaml + +1: all - Configure all authentication-related settings +2: admin - Store administrator username/password for local Malcolm access +3: webcerts - (Re)generate self-signed certificates for HTTPS access +4: fwcerts - (Re)generate self-signed certificates for a remote log forwarder +5: remoteos - Configure remote primary or secondary OpenSearch instance +6: email - Store username/password for email alert sender account +7: netbox - (Re)generate internal passwords for NetBox +8: txfwcerts - Transfer self-signed client certificates to a remote log forwarder + +Configure Authentication (all): 1 + +Store administrator username/password for local Malcolm access? (Y/n): y + +Administrator username: analyst +analyst password: +analyst password (again): + +Additional local accounts can be created at https://localhost/auth/ when Malcolm is running + +(Re)generate self-signed certificates for HTTPS access? (Y/n): y + +(Re)generate self-signed certificates for a remote log forwarder? (Y/n): y + +Configure remote primary or secondary OpenSearch instance? (y/N): n + +Store username/password for email alert sender account? (y/N): n + +(Re)generate internal passwords for NetBox? (Y/n): y + +Transfer self-signed client certificates to a remote log forwarder? (y/N): n + +``` + +Next, copy `./kubernetes/01-volumes.yml.example` to `./kubernetes/01-volumes.yml` and edit that file to define the [required PersistentVolumeClaims](#PVC) there. + +``` +$ cp -v ./kubernetes/01-volumes.yml.example ./kubernetes/01-volumes.yml +'./kubernetes/01-volumes.yml.example' -> './kubernetes/01-volumes.yml' + +$ vi ./kubernetes/01-volumes.yml +… + +$ grep -A 3 PersistentVolumeClaim ./kubernetes/01-volumes.yml +kind: PersistentVolumeClaim +metadata: + name: pcap-claim + namespace: malcolm +-- +kind: PersistentVolumeClaim +metadata: + name: zeek-claim + namespace: malcolm +-- +kind: PersistentVolumeClaim +metadata: + name: suricata-claim + namespace: malcolm +-- +kind: PersistentVolumeClaim +metadata: + name: config-claim + namespace: malcolm +-- +kind: PersistentVolumeClaim +metadata: + name: runtime-logs-claim + namespace: malcolm +-- +kind: PersistentVolumeClaim +metadata: + name: opensearch-claim + namespace: malcolm +-- +kind: PersistentVolumeClaim +metadata: + name: opensearch-backup-claim + namespace: malcolm + +``` + +Start Malcolm: + +``` +$ ./scripts/start -f /path/to/kubeconfig.yaml +… +logstash | [2023-04-24T21:00:34,470][INFO ][logstash.agent ] Pipelines running {:count=>6, :running_pipelines=>[:"malcolm-input", :"malcolm-output", :"malcolm-suricata", :"malcolm-beats", :"malcolm-enrichment", :"malcolm-zeek"], :non_running_pipelines=>[]} + +Started Malcolm + +Malcolm services can be accessed via the following URLs: +------------------------------------------------------------------------------ + - Arkime: https://192.168.56.10/ + - OpenSearch Dashboards: https://192.168.56.10/dashboards/ + - PCAP upload (web): https://192.168.56.10/upload/ + - NetBox: https://192.168.56.10/netbox/ + - Account management: https://192.168.56.10/auth/ + - Documentation: https://192.168.56.10/readme/ + +``` + +Check the status of the Malcolm deployment with `./scripts/status`: + +``` +$ ./scripts/status -f /path/to/kubeconfig.yaml + +Node Name | Hostname | IP | Provider ID | Instance Type | Total CPU | CPU Usage | Percent CPU | Total Memory | Memory Usage | Total Storage | Current Pods | +server | server | 192.168.56.10 | server | k3s | 4000m | 47.03m | 1.18% | 7.77Gi | 1.14Gi | 61.28Gi | 7 | +agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | 3677.42m | 61.29% | 19.55Gi | 4.95Gi | 61.28Gi | 12 | +agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | 552.71m | 9.21% | 19.55Gi | 13.27Gi | 61.28Gi | 12 | + +Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | +netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:23.05.0 | +netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:23.05.0 | +dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:23.05.0 | +freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:23.05.0 | +pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:23.05.0 | +nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:23.05.0 | +htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:23.05.0 | +opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:23.05.0 | +zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:23.05.0 | +dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:23.05.0 | +arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:23.05.0 | +api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:23.05.0 | +netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:23.05.0 | +pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:23.05.0 | +suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:23.05.0 | +suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:23.05.0 | +netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:23.05.0 | +zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:23.05.0 | +filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:23.05.0 | +file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:23.05.0 | +upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:23.05.0 | +logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:23.05.0 | +``` + +View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`): + +``` +$ ./scripts/logs -f /path/to/kubeconfig.yaml +api | [2023-04-24 20:55:59 +0000] [7] [INFO] Booting worker with pid: 7 +dashboards | log [20:59:28.784] [info][server][OpenSearchDashboards][http] http server running at http://0.0.0.0:5601/dashboards +file-monitor | 2023-04-24 20:59:38 INFO: ۞ started [1] +freq | 2023-04-24 20:57:09,481 INFO success: freq entered RUNNING state, process has stayed up for > than 5 seconds (startsecs) +htadmin | 2023-04-24 20:58:04,724 INFO success: nginx entered RUNNING state, process has stayed up for > than 15 seconds (startsecs) +opensearch | [2023-04-24T21:00:18,442][WARN ][o.o.c.m.MetadataIndexTemplateService] [opensearch-deployment-75498799f6-5v92w] index template [malcolm_template] has index patterns [arkime_sessions3-*] matching patterns from existing older templates [arkime_sessions3_ecs_template,arkime_sessions3_template] with patterns (arkime_sessions3_ecs_template => [arkime_sessions3-*],arkime_sessions3_template => [arkime_sessions3-*]); this template [malcolm_template] will take precedence during new index creation +pcap-capture | 8:57PM INF Listening at http://0.0.0.0:80 /... +pcap-monitor | 2023-04-24 20:59:53 INFO: ۞ started [1] +upload | 2023-04-24 20:59:27,496 INFO success: nginx entered RUNNING state, process has stayed up for > than 15 seconds (startsecs) +zeek-live | 8:59PM INF Listening at http://0.0.0.0:80 /... +zeek-offline | 2023-04-24 20:58:16,072 INFO success: pcap-zeek entered RUNNING state, process has stayed up for > than 15 seconds (startsecs) +suricata-live | 8:57PM INF Listening at http://0.0.0.0:80 /... +logstash | [2023-04-24T21:00:34,470][INFO ][logstash.agent ] Pipelines running {:count=>6, :running_pipelines=>[:"malcolm-input", :"malcolm-output", :"malcolm-suricata", :"malcolm-beats", :"malcolm-enrichment", :"malcolm-zeek"], :non_running_pipelines=>[]} +… +``` + +The Malcolm [user interface](quickstart.md#UserInterfaceURLs) should be accessible at the IP address or hostname of the Kubernetes ingress controller. + +# Future Enhancements + +Deploying Malcolm with Kubernetes is a new (and still somewhat experimental) feature, and does not yet support the full range of Malcolm features. Development around these features is [ongoing](https://github.com/idaholab/Malcolm/issues?q=is%3Aissue+is%3Aopen+kubernetes). Some of the notable features that are still a work in progress for Kubernetes deployment include: + +## Live Traffic Analysis + +For now, network traffic artifacts for analysis are provided to a Malcolm deployment on Kubernetes via [forwarding](malcolm-hedgehog-e2e-iso-install.md#HedgehogConfigForwarding) from a remote instance of [Hedgehog Linux](hedgehog.md) or via PCAP [upload](upload.md#Upload). [Future work](https://github.com/idaholab/Malcolm/issues/175) is needed to design and implement monitoring of network traffic in the cloud. + +## Horizontal Scaling + +For now, the Malcolm services running in Kubernetes are configured with `replicas: 1`. There is [more investigation and development](https://github.com/idaholab/Malcolm/issues/182) needed to ensure Malcolm's containers work correctly when horizontally scaled. + +## Helm Chart + +For now, Malcolm's Kubernetes deployment is managed via vanilla [Kubernetes manifests]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/). We need to [look into](https://github.com/idaholab/Malcolm/issues/187) what a Malcolm Helm chart would look like and how it would fit in with the [deployment scripts](https://github.com/idaholab/Malcolm/issues/172) for [configuring](#Config) and [running](#Running) Malcolm, if at all. diff --git a/docs/live-analysis.md b/docs/live-analysis.md index a43e161f4..d08702b5b 100644 --- a/docs/live-analysis.md +++ b/docs/live-analysis.md @@ -18,19 +18,19 @@ Please see the [Hedgehog Linux README](hedgehog.md) for more information. ## Monitoring local network interfaces -Malcolm's `pcap-capture`, `suricata-live` and `zeek-live` containers can monitor one or more local network interfaces, specified by the `PCAP_IFACE` environment variable in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml). These containers are started with additional privileges (`IPC_LOCK`, `NET_ADMIN`, `NET_RAW`, and `SYS_ADMIN`) to allow opening network interfaces in promiscuous mode for capture. +Malcolm's `pcap-capture`, `suricata-live` and `zeek-live` containers can monitor one or more local network interfaces, specified by the `PCAP_IFACE` environment variable in [`pcap-capture.env`](malcolm-config.md#MalcolmConfigEnvVars). These containers are started with additional privileges (`IPC_LOCK`, `NET_ADMIN`, `NET_RAW`, and `SYS_ADMIN`) to allow opening network interfaces in promiscuous mode for capture. -The instances of Zeek and Suricata (in the `suricata-live` and `zeek-live` containers when the `SURICATA_LIVE_CAPTURE` and `ZEEK_LIVE_CAPTURE` environment variables in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) are set to `true`, respectively) analyze traffic on-the-fly and generate log files containing network session metadata. These log files are in turn scanned by Filebeat and forwarded to Logstash for enrichment and indexing into the OpenSearch document store. +The instances of Zeek and Suricata (in the `suricata-live` and `zeek-live` containers when the `SURICATA_LIVE_CAPTURE` and `ZEEK_LIVE_CAPTURE` [environment variables](malcolm-config.md#MalcolmConfigEnvVars) are set to `true`, respectively) analyze traffic on-the-fly and generate log files containing network session metadata. These log files are in turn scanned by Filebeat and forwarded to Logstash for enrichment and indexing into the OpenSearch document store. -In contrast, the `pcap-capture` container buffers traffic to PCAP files and periodically rotates these files for processing (by Arkime's `capture` utlity in the `arkime` container) according to the thresholds defined by the `PCAP_ROTATE_MEGABYTES` and `PCAP_ROTATE_MINUTES` environment variables in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml). If for some reason (e.g., a low resources environment) you also want Zeek and Suricata to process these intermediate PCAP files rather than monitoring the network interfaces directly, you can set `SURICATA_ROTATED_PCAP`/`ZEEK_ROTATED_PCAP` to `true` and `SURICATA_LIVE_CAPTURE`/`ZEEK_LIVE_CAPTURE` to false. +In contrast, the `pcap-capture` container buffers traffic to PCAP files and periodically rotates these files for processing (by Arkime's `capture` utlity in the `arkime` container) according to the thresholds defined by the `PCAP_ROTATE_MEGABYTES` and `PCAP_ROTATE_MINUTES` environment variables in [`pcap-capture.env`](malcolm-config.md#MalcolmConfigEnvVars). If for some reason (e.g., a low resources environment) you also want Zeek and Suricata to process these intermediate PCAP files rather than monitoring the network interfaces directly, you can set `SURICATA_ROTATED_PCAP`/`ZEEK_ROTATED_PCAP` to `true` and `SURICATA_LIVE_CAPTURE`/`ZEEK_LIVE_CAPTURE` to false. -These various options for monitoring traffic on local network interfaces can also be configured by running [`./scripts/install.py --configure`](malcolm-config.md#ConfigAndTuning). +These various options for monitoring traffic on local network interfaces can also be configured by running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning). Note that currently Microsoft Windows and Apple macOS platforms run Docker inside of a virtualized environment. Live traffic capture and analysis on those platforms would require additional configuration of virtual interfaces and port forwarding in Docker which is outside of the scope of this document. ## Manually forwarding logs from an external source -Malcolm's Logstash instance can also be configured to accept logs from a [remote forwarder](https://www.elastic.co/products/beats/filebeat) by running [`./scripts/install.py --configure`](malcolm-config.md#ConfigAndTuning) and answering "yes" to "`Expose Logstash port to external hosts?`." Enabling encrypted transport of these logs files is discussed in [Configure authentication](authsetup.md#AuthSetup) and the description of the `BEATS_SSL` environment variable in the [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) file. +Malcolm's Logstash instance can also be configured to accept logs from a [remote forwarder](https://www.elastic.co/products/beats/filebeat) by running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning) and answering "yes" to "`Expose Logstash port to external hosts?`." Enabling encrypted transport of these logs files is discussed in [Configure authentication](authsetup.md#AuthSetup) and the description of the `BEATS_SSL` environment variable in [`beats-common.env`](malcolm-config.md#MalcolmConfigEnvVars). Configuring Filebeat to forward Zeek logs to Malcolm might look something like this example [`filebeat.yml`](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html): ``` diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 6783db3d4..ce8317c62 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -1,79 +1,92 @@ # Malcolm Configuration -If you already have Docker and Docker Compose installed, the `install.py` script can still help you tune system configuration and `docker-compose.yml` parameters for Malcolm. To run it in "configuration only" mode, bypassing the steps to install Docker and Docker Compose, run it like this: -``` -./scripts/install.py --configure -``` +Malcolm's runtime settings are stored (with a few exceptions) as environment variables in configuration files ending with a `.env` suffix in the `./config` directory. The `./scripts/configure` script can help you configure and tune these settings. -Although `install.py` will attempt to automate many of the following configuration and tuning parameters, they are nonetheless listed in the following sections for reference: +Run `./scripts/configure` and answer the questions to configure Malcolm. For an in-depth treatment of these configuration questions, see the **Configuration** section in **[End-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig)**. -## `docker-compose.yml` parameters +## Environment Variable Files -Edit `docker-compose.yml` and search for the `OPENSEARCH_JAVA_OPTS` key. Edit the `-Xms4g -Xmx4g` values, replacing `4g` with a number that is half of your total system memory, or just under 32 gigabytes, whichever is less. So, for example, if I had 64 gigabytes of memory I would edit those values to be `-Xms31g -Xmx31g`. This indicates how much memory can be allocated to the OpenSearch heaps. For a pleasant experience, I would suggest not using a value under 10 gigabytes. Similar values can be modified for Logstash with `LS_JAVA_OPTS`, where using 3 or 4 gigabytes is recommended. +Although the configuration script automates many of the following configuration and tuning parameters, some environment variables of particular interest are listed here for reference. -Various other environment variables inside of `docker-compose.yml` can be tweaked to control aspects of how Malcolm behaves, particularly with regards to processing PCAP files and Zeek logs. The environment variables of particular interest are located near the top of that file under **Commonly tweaked configuration options**, which include: - -* `ARKIME_ANALYZE_PCAP_THREADS` – the number of threads available to Arkime for analyzing PCAP files (default `1`) -* `AUTO_TAG` – if set to `true`, Malcolm will automatically create Arkime sessions and Zeek logs with tags based on the filename, as described in [Tagging](upload.md#Tagging) (default `true`) -* `BEATS_SSL` – if set to `true`, Logstash will use require encrypted communications for any external [Beats](https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html)-based forwarders from which it will accept logs (default `true`) -* `CONNECTION_SECONDS_SEVERITY_THRESHOLD` - when [severity scoring](severity.md#Severity) is enabled, this variable indicates the duration threshold (in seconds) for assigning severity to long connections (default `3600`) -* `DASHBOARDS_DARKMODE` – if set to `true`, [OpenSearch Dashboards](dashboards.md#DashboardsVisualizations) will be set to dark mode upon initialization (default `true`) -* `EXTRACTED_FILE_CAPA_VERBOSE` – if set to `true`, all Capa rule hits will be logged; otherwise (`false`) only [MITRE ATT&CK® technique](https://attack.mitre.org/techniques) classifications will be logged -* `EXTRACTED_FILE_ENABLE_CAPA` – if set to `true`, [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) that are determined to be PE (portable executable) files will be scanned with [Capa](https://github.com/fireeye/capa) -* `EXTRACTED_FILE_ENABLE_CLAMAV` – if set to `true`, [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) will be scanned with [ClamAV](https://www.clamav.net/) -* `EXTRACTED_FILE_ENABLE_YARA` – if set to `true`, [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) will be scanned with [Yara](https://github.com/VirusTotal/yara) -* `EXTRACTED_FILE_HTTP_SERVER_ENABLE` – if set to `true`, the directory containing [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) will be served over HTTP at `./extracted-files/` (e.g., [https://localhost/extracted-files/](https://localhost/extracted-files/) if you are connecting locally) -* `EXTRACTED_FILE_HTTP_SERVER_ENCRYPT` – if set to `true`, those Zeek-extracted files will be AES-256-CBC-encrypted in an `openssl enc`-compatible format (e.g., `openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe`) -* `EXTRACTED_FILE_HTTP_SERVER_KEY` – specifies the AES-256-CBC decryption password for encrypted Zeek-extracted files; used in conjunction with `EXTRACTED_FILE_HTTP_SERVER_ENCRYPT` -* `EXTRACTED_FILE_IGNORE_EXISTING` – if set to `true`, files extant in `./zeek-logs/extract_files/` directory will be ignored on startup rather than scanned -* `EXTRACTED_FILE_PRESERVATION` – determines behavior for preservation of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) -* `EXTRACTED_FILE_UPDATE_RULES` – if set to `true`, file scanner engines (e.g., ClamAV, Capa, Yara) will periodically update their rule definitions (default `false`) -* `EXTRACTED_FILE_YARA_CUSTOM_ONLY` – if set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base) and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only user-defined rules in `./yara/rules` -* `FREQ_LOOKUP` - if set to `true`, domain names (from DNS queries and SSL server names) will be assigned entropy scores as calculated by [`freq`](https://github.com/MarkBaggett/freq) (default `false`) -* `FREQ_SEVERITY_THRESHOLD` - when [severity scoring](severity.md#Severity) is enabled, this variable indicates the entropy threshold for assigning severity to events with entropy scores calculated by [`freq`](https://github.com/MarkBaggett/freq); a lower value will only assign severity scores to fewer domain names with higher entropy (e.g., `2.0` for `NQZHTFHRMYMTVBQJE.COM`), while a higher value will assign severity scores to more domain names with lower entropy (e.g., `7.5` for `naturallanguagedomain.example.org`) (default `2.0`) -* `LOGSTASH_OUI_LOOKUP` – if set to `true`, Logstash will map MAC addresses to vendors for all source and destination MAC addresses when analyzing Zeek logs (default `true`) -* `LOGSTASH_REVERSE_DNS` – if set to `true`, Logstash will perform a reverse DNS lookup for all external source and destination IP address values when analyzing Zeek logs (default `false`) -* `LOGSTASH_SEVERITY_SCORING` - if set to `true`, Logstash will perform [severity scoring](severity.md#Severity) when analyzing Zeek logs (default `true`) -* `LOGSTASH_NETWORK_MAP_ENRICHMENT` - if set to `true`, Logstash will enrich network traffic metadata directly from [`net-map.json`](host-and-subnet-mapping.md#HostAndSubnetNaming) (should be the opposite of `LOGSTASH_NETBOX_ENRICHMENT`) -* `LOGSTASH_NETBOX_ENRICHMENT` - if set to `true`, Logstash will enrich network traffic metadata via NetBox API calls (should be the opposite of `LOGSTASH_NETWORK_MAP_ENRICHMENT`) -* `MANAGE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will be marked as available for deletion by Arkime if available storage space becomes too low (default `false`) -* `MAXMIND_GEOIP_DB_LICENSE_KEY` - Malcolm uses MaxMind's free GeoLite2 databases for GeoIP lookups. As of December 30, 2019, these databases are [no longer available](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) for download via a public URL. Instead, they must be downloaded using a MaxMind license key (available without charge [from MaxMind](https://www.maxmind.com/en/geolite2/signup)). The license key can be specified here for GeoIP database downloads during build- and run-time. -* `OPENSEARCH_LOCAL` - if set to `true`, Malcolm will use its own internal [OpenSearch instance](opensearch-instances.md#OpenSearchInstance) (default `true`) -* `OPENSEARCH_URL` - when using Malcolm's internal OpenSearch instance (i.e., `OPENSEARCH_LOCAL` is `true`) this should be `http://opensearch:9200`, otherwise this value specifies the primary remote instance URL in the format `protocol://host:port` (default `http://opensearch:9200`) -* `OPENSEARCH_SSL_CERTIFICATE_VERIFICATION` - if set to `true`, connections to the primary remote OpenSearch instance will require full TLS certificate validation (this may fail if using self-signed certificates) (default `false`) -* `OPENSEARCH_SECONDARY` - if set to `true`, Malcolm will forward logs to a secondary remote OpenSearch instance in addition to the primary (local or remote) OpenSearch instance (default `false`) -* `OPENSEARCH_SECONDARY_URL` - when forwarding to a secondary remote OpenSearch instance (i.e., `OPENSEARCH_SECONDARY` is `true`) this value specifies the secondary remote instance URL in the format `protocol://host:port` -* `OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION` - if set to `true`, connections to the secondary remote OpenSearch instance will require full TLS certificate validation (this may fail if using self-signed certificates) (default `false`) -* `NETBOX_DISABLED` - if set to `true`, Malcolm will **not** start and manage a [NetBox](asset-interaction-analysis.md#AssetInteractionAnalysis) instance (default `true`) -* `NGINX_BASIC_AUTH` - if set to `true`, use [TLS-encrypted HTTP basic](authsetup.md#AuthBasicAccountManagement) authentication (default); if set to `false`, use [Lightweight Directory Access Protocol (LDAP)](authsetup.md#AuthLDAP) authentication -* `NGINX_LOG_ACCESS_AND_ERRORS` - if set to `true`, all access to Malcolm via its [web interfaces](quickstart.md#UserInterfaceURLs) will be logged to OpenSearch (default `false`) -* `NGINX_SSL` - if set to `true`, require HTTPS connections to Malcolm's `nginx-proxy` container (default); if set to `false`, use unencrypted HTTP connections (using unsecured HTTP connections is **NOT** recommended unless you are running Malcolm behind another reverse proxy like Traefik, Caddy, etc.) -* `PCAP_ENABLE_NETSNIFF` – if set to `true`, Malcolm will capture network traffic on the local network interface(s) indicated in `PCAP_IFACE` using [netsniff-ng](http://netsniff-ng.org/) -* `PCAP_ENABLE_TCPDUMP` – if set to `true`, Malcolm will capture network traffic on the local network interface(s) indicated in `PCAP_IFACE` using [tcpdump](https://www.tcpdump.org/); there is no reason to enable *both* `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP` -* `PCAP_FILTER` – specifies a tcpdump-style filter expression for local packet capture; leave blank to capture all traffic -* `PCAP_IFACE` – used to specify the network interface(s) for local packet capture if `PCAP_ENABLE_NETSNIFF`, `PCAP_ENABLE_TCPDUMP`, `ZEEK_LIVE_CAPTURE` or `SURICATA_LIVE_CAPTURE` are enabled; for multiple interfaces, separate the interface names with a comma (e.g., `'enp0s25'` or `'enp10s0,enp11s0'`) -* `PCAP_IFACE_TWEAK` - if set to `true`, Malcolm will [use `ethtool`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/nic-capture-setup.sh) to disable NIC hardware offloading features and adjust ring buffer sizes for capture interface(s); this should be `true` if the interface(s) are being used for capture only, `false` if they are being used for management/communication -* `PCAP_ROTATE_MEGABYTES` – used to specify how large a locally-captured PCAP file can become (in megabytes) before it is closed for processing and a new PCAP file created -* `PCAP_ROTATE_MINUTES` – used to specify a time interval (in minutes) after which a locally-captured PCAP file will be closed for processing and a new PCAP file created -* `pipeline.workers`, `pipeline.batch.size` and `pipeline.batch.delay` - these settings are used to tune the performance and resource utilization of the the `logstash` container; see [Tuning and Profiling Logstash Performance](https://www.elastic.co/guide/en/logstash/current/tuning-logstash.html), [`logstash.yml`](https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html) and [Multiple Pipelines](https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html) -* `PUID` and `PGID` - Docker runs all of its containers as the privileged `root` user by default. For better security, Malcolm immediately drops to non-privileged user accounts for executing internal processes wherever possible. The `PUID` (**p**rocess **u**ser **ID**) and `PGID` (**p**rocess **g**roup **ID**) environment variables allow Malcolm to map internal non-privileged user accounts to a corresponding [user account](https://en.wikipedia.org/wiki/User_identifier) on the host. Note that a few containers (including the `logstash` and `netbox` containers) may take a few extra minutes during startup if `PUID` and `PGID` are set to values other than the default `1000`. This is expected and should not affect operation after the initial startup. -* `SENSITIVE_COUNTRY_CODES` - when [severity scoring](severity.md#Severity) is enabled, this variable defines a comma-separated list of sensitive countries (using [ISO 3166-1 alpha-2 codes](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) (default `'AM,AZ,BY,CN,CU,DZ,GE,HK,IL,IN,IQ,IR,KG,KP,KZ,LY,MD,MO,PK,RU,SD,SS,SY,TJ,TM,TW,UA,UZ'`, taken from the U.S. Department of Energy Sensitive Country List) -* `SURICATA_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Suricata, and the resulting logs will also be imported (default `false`) -* `SURICATA_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Suricata logs (default `1`) -* `SURICATA_CUSTOM_RULES_ONLY` – if set to `true`, Malcolm will bypass the default [Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and use only user-defined rules (`./suricata/rules/*.rules`). -* `SURICATA_UPDATE_RULES` – if set to `true`, Suricata signatures will periodically be updated (default `false`) -* `SURICATA_LIVE_CAPTURE` - if set to `true`, Suricata will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` -* `SURICATA_ROTATED_PCAP` - if set to `true`, Suricata can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `SURICATA_AUTO_ANALYZE_PCAP_FILES`); if `SURICATA_LIVE_CAPTURE` is `true`, this should be false, otherwise Suricata will see duplicate traffic -* `SURICATA_…` - the [`suricata` container entrypoint script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/suricata_config_populate.py) can use **many** more environment variables to tweak [suricata.yaml](https://github.com/OISF/suricata/blob/master/suricata.yaml.in); in that script, `DEFAULT_VARS` defines those variables (albeit without the `SURICATA_` prefix you must add to each for use) -* `TOTAL_MEGABYTES_SEVERITY_THRESHOLD` - when [severity scoring](severity.md#Severity) is enabled, this variable indicates the size threshold (in megabytes) for assigning severity to large connections or file transfers (default `1000`) -* `VTOT_API2_KEY` – used to specify a [VirusTotal Public API v.20](https://www.virustotal.com/en/documentation/public-api/) key, which, if specified, will be used to submit hashes of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) to VirusTotal -* `ZEEK_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`) -* `ZEEK_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Zeek logs (default `1`) -* `ZEEK_DISABLE_…` - if set to any non-blank value, each of these variables can be used to disable a certain Zeek function when it analyzes PCAP files (for example, setting `ZEEK_DISABLE_LOG_PASSWORDS` to `true` to disable logging of cleartext passwords) -* `ZEEK_DISABLE_BEST_GUESS_ICS` - see ["Best Guess" Fingerprinting for ICS Protocols](ics-best-guess.md#ICSBestGuess) -* `ZEEK_EXTRACTOR_MODE` – determines the file extraction behavior for file transfers detected by Zeek; see [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction) for more details -* `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators that have been created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) -* `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) -* `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) -* `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` -* `ZEEK_ROTATED_PCAP` - if set to `true`, Zeek can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `ZEEK_AUTO_ANALYZE_PCAP_FILES`); if `ZEEK_LIVE_CAPTURE` is `true`, this should be false, otherwise Zeek will see duplicate traffic \ No newline at end of file +* **`arkime.env`** and **`arkime-secret.env`** - settings for [Arkime](https://arkime.com/) + - `ARKIME_ANALYZE_PCAP_THREADS` – the number of threads available to Arkime for analyzing PCAP files (default `1`) + - `MANAGE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will be marked as available for deletion by Arkime if available storage space becomes too low (default `false`) + - `MAXMIND_GEOIP_DB_LICENSE_KEY` - Malcolm uses MaxMind's free GeoLite2 databases for GeoIP lookups. As of December 30, 2019, these databases are [no longer available](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) for download via a public URL. Instead, they must be downloaded using a MaxMind license key (available without charge [from MaxMind](https://www.maxmind.com/en/geolite2/signup)). The license key can be specified here for GeoIP database downloads during build- and run-time. +* **`auth-common.env`** - [authentication](#MalcolmAuthSetup)-related settings + - `NGINX_BASIC_AUTH` - if set to `true`, use [TLS-encrypted HTTP basic](authsetup.md#AuthBasicAccountManagement) authentication (default); if set to `false`, use [Lightweight Directory Access Protocol (LDAP)](authsetup.md#AuthLDAP) authentication +* **`auth.env`** - stores the Malcolm administrator's username and password hash for its nginx reverse proxy +* **`beats-common.env`** - settings for interactions between [Logstash](https://www.elastic.co/products/logstash) and [Filebeat](https://www.elastic.co/products/beats/filebeat) + - `BEATS_SSL` – if set to `true`, Logstash will use require encrypted communications for any external [Beats](https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html)-based forwarders from which it will accept logs (default `true`) +* **`dashboards-helper.env`** - settings for the container that helps configure and maintain [OpenSearch](https://opensearch.org/) and [OpenSearch Dashboards](https://opensearch.org/docs/latest/dashboards/index/) + - `DASHBOARDS_DARKMODE` – if set to `true`, [OpenSearch Dashboards](dashboards.md#DashboardsVisualizations) will be set to dark mode upon initialization (default `true`) +* **`filebeat.env`** - settings specific to [Filebeat](https://www.elastic.co/products/beats/filebeat), particularly for how Filebeat watches for new log files to parse and how it receives and stores [third-Party logs](third-party-logs.md#ThirdPartyLogs) +* **`logstash.env`** - settings specific to [Logstash](https://www.elastic.co/products/logstash) + - `LOGSTASH_OUI_LOOKUP` – if set to `true`, Logstash will map MAC addresses to vendors for all source and destination MAC addresses when analyzing Zeek logs (default `true`) + - `LOGSTASH_REVERSE_DNS` – if set to `true`, Logstash will perform a reverse DNS lookup for all external source and destination IP address values when analyzing Zeek logs (default `false`) + - `LOGSTASH_SEVERITY_SCORING` - if set to `true`, Logstash will perform [severity scoring](severity.md#Severity) when analyzing Zeek logs (default `true`) + - `LOGSTASH_NETBOX_ENRICHMENT` - if set to `true`, Logstash will enrich network traffic metadata via NetBox API calls + - `LS_JAVA_OPTS` - part of LogStash's [JVM settings](https://www.elastic.co/guide/en/logstash/current/jvm-settings.html), the `-Xms` and `-Xmx` values set the size of LogStash's Java heap (we recommend somewhere between `1500m` and `4g`) + * `pipeline.workers`, `pipeline.batch.size` and `pipeline.batch.delay` - these settings are used to tune the performance and resource utilization of the the `logstash` container; see [Tuning and Profiling Logstash Performance](https://www.elastic.co/guide/en/logstash/current/tuning-logstash.html), [`logstash.yml`](https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html) and [Multiple Pipelines](https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html) +* **`lookup-common.env`** - settings for enrichment lookups, including those used for [customizing event severity scoring](severity.md#SeverityConfig) + - `CONNECTION_SECONDS_SEVERITY_THRESHOLD` - when [severity scoring](severity.md#Severity) is enabled, this variable indicates the duration threshold (in seconds) for assigning severity to long connections (default `3600`) + - `FREQ_LOOKUP` - if set to `true`, domain names (from DNS queries and SSL server names) will be assigned entropy scores as calculated by [`freq`](https://github.com/MarkBaggett/freq) (default `false`) + - `FREQ_SEVERITY_THRESHOLD` - when [severity scoring](severity.md#Severity) is enabled, this variable indicates the entropy threshold for assigning severity to events with entropy scores calculated by [`freq`](https://github.com/MarkBaggett/freq); a lower value will only assign severity scores to fewer domain names with higher entropy (e.g., `2.0` for `NQZHTFHRMYMTVBQJE.COM`), while a higher value will assign severity scores to more domain names with lower entropy (e.g., `7.5` for `naturallanguagedomain.example.org`) (default `2.0`) + - `SENSITIVE_COUNTRY_CODES` - when [severity scoring](severity.md#Severity) is enabled, this variable defines a comma-separated list of sensitive countries (using [ISO 3166-1 alpha-2 codes](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) (default `'AM,AZ,BY,CN,CU,DZ,GE,HK,IL,IN,IQ,IR,KG,KP,KZ,LY,MD,MO,PK,RU,SD,SS,SY,TJ,TM,TW,UA,UZ'`, taken from the U.S. Department of Energy Sensitive Country List) + - `TOTAL_MEGABYTES_SEVERITY_THRESHOLD` - when [severity scoring](severity.md#Severity) is enabled, this variable indicates the size threshold (in megabytes) for assigning severity to large connections or file transfers (default `1000`) +* **`netbox-common.env`**, `netbox.env`, `netbox-secret.env`, `netbox-postgres.env`, `netbox-redis-cache.env` and `netbox-redis.env` - settings related to [NetBox](https://netbox.dev/) and [Asset Interaction Analysis](asset-interaction-analysis.md#AssetInteractionAnalysis) + - `NETBOX_DISABLED` - if set to `true`, Malcolm will **not** start and manage a [NetBox](asset-interaction-analysis.md#AssetInteractionAnalysis) instance (default `true`) +* **`nginx.env`** - settings specific to Malcolm's nginx reverse proxy + - `NGINX_LOG_ACCESS_AND_ERRORS` - if set to `true`, all access to Malcolm via its [web interfaces](quickstart.md#UserInterfaceURLs) will be logged to OpenSearch (default `false`) + - `NGINX_SSL` - if set to `true`, require HTTPS connections to Malcolm's `nginx-proxy` container (default); if set to `false`, use unencrypted HTTP connections (using unsecured HTTP connections is **NOT** recommended unless you are running Malcolm behind another reverse proxy like Traefik, Caddy, etc.) +* **`opensearch.env`** - settings specific to [OpenSearch](https://opensearch.org/) + - `OPENSEARCH_JAVA_OPTS` - one of OpenSearch's most [important settings](https://opensearch.org/docs/latest/install-and-configure/install-opensearch/index/#important-settings), the `-Xms` and `-Xmx` values set the size of OpenSearch's Java heap (we recommend setting this value to half of system RAM, up to 32 gigabytes) + - `OPENSEARCH_LOCAL` - if set to `true`, Malcolm will use its own internal [OpenSearch instance](opensearch-instances.md#OpenSearchInstance) (default `true`) + - `OPENSEARCH_URL` - when using Malcolm's internal OpenSearch instance (i.e., `OPENSEARCH_LOCAL` is `true`) this should be `http://opensearch:9200`, otherwise this value specifies the primary remote instance URL in the format `protocol://host:port` (default `http://opensearch:9200`) + - `OPENSEARCH_SSL_CERTIFICATE_VERIFICATION` - if set to `true`, connections to the primary remote OpenSearch instance will require full TLS certificate validation (this may fail if using self-signed certificates) (default `false`) + - `OPENSEARCH_SECONDARY` - if set to `true`, Malcolm will forward logs to a secondary remote OpenSearch instance in addition to the primary (local or remote) OpenSearch instance (default `false`) + - `OPENSEARCH_SECONDARY_URL` - when forwarding to a secondary remote OpenSearch instance (i.e., `OPENSEARCH_SECONDARY` is `true`) this value specifies the secondary remote instance URL in the format `protocol://host:port` + - `OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION` - if set to `true`, connections to the secondary remote OpenSearch instance will require full TLS certificate validation (this may fail if using self-signed certificates) (default `false`) +* **`pcap-capture.env`** - settings specific to capturing traffic for [live traffic analysis](live-analysis.md#LocalPCAP) + - `PCAP_ENABLE_NETSNIFF` – if set to `true`, Malcolm will capture network traffic on the local network interface(s) indicated in `PCAP_IFACE` using [netsniff-ng](http://netsniff-ng.org/) + - `PCAP_ENABLE_TCPDUMP` – if set to `true`, Malcolm will capture network traffic on the local network interface(s) indicated in `PCAP_IFACE` using [tcpdump](https://www.tcpdump.org/); there is no reason to enable *both* `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP` + - `PCAP_FILTER` – specifies a tcpdump-style filter expression for local packet capture; leave blank to capture all traffic + - `PCAP_IFACE` – used to specify the network interface(s) for local packet capture if `PCAP_ENABLE_NETSNIFF`, `PCAP_ENABLE_TCPDUMP`, `ZEEK_LIVE_CAPTURE` or `SURICATA_LIVE_CAPTURE` are enabled; for multiple interfaces, separate the interface names with a comma (e.g., `'enp0s25'` or `'enp10s0,enp11s0'`) + - `PCAP_IFACE_TWEAK` - if set to `true`, Malcolm will [use `ethtool`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/nic-capture-setup.sh) to disable NIC hardware offloading features and adjust ring buffer sizes for capture interface(s); this should be `true` if the interface(s) are being used for capture only, `false` if they are being used for management/communication + - `PCAP_ROTATE_MEGABYTES` – used to specify how large a locally-captured PCAP file can become (in megabytes) before it is closed for processing and a new PCAP file created + - `PCAP_ROTATE_MINUTES` – used to specify a time interval (in minutes) after which a locally-captured PCAP file will be closed for processing and a new PCAP file created +* **`process.env`** - settings for how the processes running inside Malcolm containers are executed + - `PUID` and `PGID` - Docker runs all of its containers as the privileged `root` user by default. For better security, Malcolm immediately drops to non-privileged user accounts for executing internal processes wherever possible. The `PUID` (**p**rocess **u**ser **ID**) and `PGID` (**p**rocess **g**roup **ID**) environment variables allow Malcolm to map internal non-privileged user accounts to a corresponding [user account](https://en.wikipedia.org/wiki/User_identifier) on the host. Note that a few containers (including the `logstash` and `netbox` containers) may take a few extra minutes during startup if `PUID` and `PGID` are set to values other than the default `1000`. This is expected and should not affect operation after the initial startup. +* **`ssl.env`** - TLS-related settings used by many containers +* **`suricata.env`**, **`suricata-live.env`** and **`suricata-offline.env`** - settings for [Suricata](https://suricata.io/) + - `SURICATA_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Suricata, and the resulting logs will also be imported (default `false`) + - `SURICATA_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Suricata logs (default `1`) + - `SURICATA_CUSTOM_RULES_ONLY` – if set to `true`, Malcolm will bypass the default [Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and use only user-defined rules (`./suricata/rules/*.rules`). + - `SURICATA_UPDATE_RULES` – if set to `true`, Suricata signatures will periodically be updated (default `false`) + - `SURICATA_LIVE_CAPTURE` - if set to `true`, Suricata will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + - `SURICATA_ROTATED_PCAP` - if set to `true`, Suricata can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `SURICATA_AUTO_ANALYZE_PCAP_FILES`); if `SURICATA_LIVE_CAPTURE` is `true`, this should be false, otherwise Suricata will see duplicate traffic + - `SURICATA_…` - the [`suricata` container entrypoint script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/suricata_config_populate.py) can use **many** more environment variables to tweak [suricata.yaml](https://github.com/OISF/suricata/blob/master/suricata.yaml.in); in that script, `DEFAULT_VARS` defines those variables (albeit without the `SURICATA_` prefix you must add to each for use) +* **`upload-common.env`** and **`upload.env`** - settings for dealing with PCAP files [uploaded](upload.md#Upload) to Malcolm for analysis + - `AUTO_TAG` – if set to `true`, Malcolm will automatically create Arkime sessions and Zeek logs with tags based on the filename, as described in [Tagging](upload.md#Tagging) (default `true`) +* **`zeek.env`**, **`zeek-secret.env`**, **`zeek-live.env`** and **`zeek-offline.env`** - settings for [Zeek](https://www.zeek.org/index.html) and for scanning [extracted files](file-scanning.md#ZeekFileExtraction) Zeek observes in network traffic + - `EXTRACTED_FILE_CAPA_VERBOSE` – if set to `true`, all Capa rule hits will be logged; otherwise (`false`) only [MITRE ATT&CK® technique](https://attack.mitre.org/techniques) classifications will be logged + - `EXTRACTED_FILE_ENABLE_CAPA` – if set to `true`, [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) that are determined to be PE (portable executable) files will be scanned with [Capa](https://github.com/fireeye/capa) + - `EXTRACTED_FILE_ENABLE_CLAMAV` – if set to `true`, [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) will be scanned with [ClamAV](https://www.clamav.net/) + - `EXTRACTED_FILE_ENABLE_YARA` – if set to `true`, [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) will be scanned with [Yara](https://github.com/VirusTotal/yara) + - `EXTRACTED_FILE_HTTP_SERVER_ENABLE` – if set to `true`, the directory containing [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) will be served over HTTP at `./extracted-files/` (e.g., [https://localhost/extracted-files/](https://localhost/extracted-files/) if you are connecting locally) + - `EXTRACTED_FILE_HTTP_SERVER_ENCRYPT` – if set to `true`, those Zeek-extracted files will be AES-256-CBC-encrypted in an `openssl enc`-compatible format (e.g., `openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe`) + - `EXTRACTED_FILE_HTTP_SERVER_KEY` – specifies the AES-256-CBC decryption password for encrypted Zeek-extracted files; used in conjunction with `EXTRACTED_FILE_HTTP_SERVER_ENCRYPT` + - `EXTRACTED_FILE_IGNORE_EXISTING` – if set to `true`, files extant in `./zeek-logs/extract_files/` directory will be ignored on startup rather than scanned + - `EXTRACTED_FILE_PRESERVATION` – determines behavior for preservation of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) + - `EXTRACTED_FILE_UPDATE_RULES` – if set to `true`, file scanner engines (e.g., ClamAV, Capa, Yara) will periodically update their rule definitions (default `false`) + - `EXTRACTED_FILE_YARA_CUSTOM_ONLY` – if set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base) and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only user-defined rules in `./yara/rules` + - `VTOT_API2_KEY` – used to specify a [VirusTotal Public API v.20](https://www.virustotal.com/en/documentation/public-api/) key, which, if specified, will be used to submit hashes of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) to VirusTotal + - `ZEEK_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`) + - `ZEEK_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Zeek logs (default `1`) + - `ZEEK_DISABLE_…` - if set to any non-blank value, each of these variables can be used to disable a certain Zeek function when it analyzes PCAP files (for example, setting `ZEEK_DISABLE_LOG_PASSWORDS` to `true` to disable logging of cleartext passwords) + - `ZEEK_DISABLE_BEST_GUESS_ICS` - see ["Best Guess" Fingerprinting for ICS Protocols](ics-best-guess.md#ICSBestGuess) + - `ZEEK_EXTRACTOR_MODE` – determines the file extraction behavior for file transfers detected by Zeek; see [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction) for more details + - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators that have been created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) + - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) + - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) + - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + - `ZEEK_ROTATED_PCAP` - if set to `true`, Zeek can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `ZEEK_AUTO_ANALYZE_PCAP_FILES`); if `ZEEK_LIVE_CAPTURE` is `true`, this should be false, otherwise Zeek will see duplicate traffic \ No newline at end of file diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md new file mode 100644 index 000000000..ebdf41427 --- /dev/null +++ b/docs/malcolm-hedgehog-e2e-iso-install.md @@ -0,0 +1,625 @@ +# End-to-end Malcolm and Hedgehog Linux ISO Installation + +This document outlines how to install [Malcolm]({{ site.github.repository_url }}) and [Hedgehog Linux](hedgehog.md) using the project's installer ISOs. These instructions apply to installing this software both on a "bare metal" system or in a virtual machine environment using VMware, VirtualBox, QEMU/KVM, etc. + +The Malcolm and Hedgehog Linux installers as described in these instructions are intended to be used to **replace** the existing operating system, if any, of the respective systems onto which they are installed, and, as such, are designed to require as little user input as possible. For this reason, there are NO user prompts and confirmations about partitioning and reformatting hard disks for use by the operating system. The installer assumes that all non-removable storage media (eg., SSD, HDD, NVMe, etc.) are available for use and ⛔🆘😭💀 ***will partition and format them without warning*** 💀😭🆘⛔. + +In contrast to using the ISO installer, Malcolm can also be installed "natively" on any x86_64 platform that can run Docker. See the [installation example using Ubuntu 22.04 LTS](ubuntu-install-example.md#InstallationExample) for that method of installation and configuration, or [Windows host system configuration](host-config-windows.md#HostSystemConfigWindows) and [macOS host system configuration](host-config-macos.md#HostSystemConfigMac) for those platforms. + +### Table of Contents + +* [Obtaining the Installation ISOs](#ISODownload) +* ["Burning" the Installation ISOs to USB Flash Drive](#ISOBurning) +* [Booting the Installation Media](#BootUSB) +* [Malcolm Installation and Configuration](#MalcolmInstallAndConfig) + - [ISO Installation](#ISOInstallMalcolm) + - [Desktop Environment](#MalcolmDesktop) + - [Configuration](#MalcolmConfig) + - [Configure Hostname and Time Sync](#MalcolmTimeSync) + - [Setting up Authentication](#MalcolmAuthSetup) +* [Hedgehog Linux Installation and Configuration](#HedgehogInstallAndConfig) + - [Hedgehog Linux ISO Installation](#ISOInstallHedgehog) + - [Desktop Environment](#HedgehogDesktop) + - [Configure Hostname, Interfaces and Time Sync](#HedgehogInterfaces) + - [Configure Capture](#HedgehogCapture) + + [Capture](#HedgehogConfigCapture) + + [File extraction and scanning](#HedgehogZeekFileExtraction) + - [Configure Forwarding](#HedgehogConfigForwarding) + * [arkime-capture](#Hedgehogarkime-capture): Arkime session forwarding + * [ssl-client-receive](#HedgehogGetCerts): Receive client SSL files for filebeat from Malcolm + * [filebeat](#Hedgehogfilebeat): Zeek and Suricata log forwarding + * [miscbeat](#Hedgehogmiscbeat): System metrics forwarding + + [Autostart services](#HedgehogConfigAutostart) +* [Verifying Traffic Capture and Forwarding](#Verify) + +## Obtaining the Installation ISOs + +Malcolm can be [packaged](malcolm-iso.md#ISOBuild) into an [installer ISO](malcolm-iso.md#ISO) based on the current [stable release](https://wiki.debian.org/DebianStable) of [Debian](https://www.debian.org/). This [customized Debian installation](https://wiki.debian.org/DebianLive) is preconfigured with the bare minimum software needed to run Malcolm. + +Similar instructions exist for generating the [installer ISO](hedgehog-iso-build.md#HedgehogISOBuild) for [Hedgehog Linux](hedgehog.md), Malcolm's dedicated network sensor appliance OS. + +While official downloads of the Malcolm installer ISO are not provided, an **unofficial build** of the ISO installer for the [latest stable release]({{ site.external_download_url }}) is available for download here. If downloading the unofficial builds, be sure to verify the integrity of ISO files against the SHA256 sums provided on the download page. + +## "Burning" the Installation ISOs to USB Flash Drive + +Various methods can be used to write the contents of an installer ISO image to a USB flash drive. One simple free and open source application for doing so [Etcher](https://www.balena.io/etcher), which can be used on Windows, macOS and Linux platforms. + +Alternatively, specific instructions may be provided by your operating system (e.g., [Arch Linux](https://wiki.archlinux.org/title/USB_flash_installation_medium), [Debian Linux](https://www.debian.org/releases/stable/amd64/ch04s03.en.html), [Ubuntu Linux](https://ubuntu.com/tutorials/create-a-usb-stick-on-ubuntu#1-overview)). + +Using one of these methods, write the Malcolm and Hedgehog Linux installer ISOs to two 8GB or larger USB flash drives, respectively. + +Alternatively, the ISO images could be burned to writable optical media (e.g., DVD±R). For the Malcolm installer you'll likely have to use DVD±R DL ("dual layer" or "double layer") DVD media as the installer ISO exceeds the 4.7 GB storage provided by standard DVDs. + +![Etcher on macOS](./images/screenshots/iso_install_etcher_macos.png) + +*Using Etcher on macOS* + +![dd on Linux](./images/screenshots/iso_install_dd_linux.png) + +*Using dd on Linux* + +## Booting the Installation Media + +The ISO media boot on systems that support EFI-mode and legacy (BIOS) booting. Configuring your system's firmware to allow booting from USB or optical media will vary from manufacturer to manufacturer. Usually manufacturers will provide a one-time boot options menu upon a specific keypress (e.g., F12 for Dell, F9 for HP, etc.). If needed, consult the documentation provided by the hardware manufacturer on how to access the boot options menu and boot from your newly-burned USB flash media or DVD±R. + +![EFI Boot Manager](./images/screenshots/iso_install_boot_menu_efi.png) + +*An example of an EFI boot manager in QEMU* + +![BIOS Boot Manager](./images/screenshots/iso_install_boot_menu_bios.png) + +*An example of a BIOS boot options menu in QEMU* + +## Malcolm Installation and Configuration + +### ISO Installation + +Upon Booting the Malcolm installation ISO, you're presented with the following **Boot menu**. Use the arrow keys to select **Install Malcolm**, and press Enter. + +![](./images/screenshots/iso_install_malcolm_iso_menu_1.png) + +*The first screen of the installer* + +The next screen of the installer presents the following options relevant to installation: + +* **Quick Install** - Installs Malcolm without full disk encryption using default partitioning. +* **Encrypted Quick Install** - Installs Malcolm with full disk encryption using default partitioning. You will be prompted for a password for full disk encryption during installation which must be entered each time the system boots. +* **Expert Install** - Allows you to configure the options of the [Debian](https://wiki.debian.org/DebianInstaller)-based installation system. Only recommended when needed for expert Linux users. +* **Virtual Machine Single Partition Quick Install** - The same as **Quick Install** except that all system files are stored in a single partition. Use this option when installing Malcolm onto a virtual machine. + +![](./images/screenshots/iso_install_malcolm_iso_menu_2.png) + +*The **Install Malcolm** menu* + +After making your selection for the type of Malcolm install to perform, the installer will ask for several pieces of information prior to installing the Malcolm base operating system: + +* **Hostname** - the name of the Malcolm system used to identify itself on the network +* **Domain name** - (optional) the name of the local network domain +* **Root password** – (optional) a password for the privileged root account which is rarely needed; if unspecified, the non-privileged user account will be added to the `sudo` group +* **User name** the name for the non-privileged service account user account under which the Malcolm runs +* **User password** – a password for the non-privileged user account +* **Encryption password** – (optional) if the encrypted installation option was selected at boot, the encryption password must be entered every time the system boots + +![Example of the installer's password prompt](./images/hedgehog/images/users_and_passwords.png) + +After the passwords have been entered, the installer will proceed to format the system drive and install Malcolm. + +![Installer progress](./images/hedgehog/images/installer_progress.png) + +At the end of the installation process, you will be prompted with a few self-explanatory yes/no questions: + +* **Disable IPv6?** +* **Automatically login to the GUI session?** +* **Should the GUI session be locked due to inactivity?** +* **Display the [Standard Mandatory DoD Notice and Consent Banner](https://www.stigviewer.com/stig/application_security_and_development/2018-12-24/finding/V-69349)?** *(only applies when installed on U.S. government information systems)* + +Following these prompts, the installer will reboot and the Malcolm base operating system will boot. + +The Malcolm installer does not require an internet connection to complete successfully. If the installer prompts you to configure network connectivity, you may choose "do not configure the network at this time." + +### Desktop Environment + +The Malcolm base operating system is a [hardened](hardening.md#Hardening) Linux installation based on the current [stable release](https://wiki.debian.org/DebianStable) of [Debian](https://www.debian.org/) [running](https://wiki.debian.org/Xfce) the [XFCE desktop environment](https://www.xfce.org/). It has been preloaded with all of the [components](components.md#Components) that make up Malcolm. + +[NetworkManager](https://wiki.debian.org/NetworkManager) can be used to configure networking for Malcolm. NetworkManager can be configured by clicking the 🖧 (networked computers) icon in the system tray in the upper-right corner of the screen, or right-clicking the icon and selecting **Edit Connections...** to modify the properties of a given connection. + +Display resolution should be detected and adjusted automatically. If you need to make changes to display properties, click the **Applications** menu and select **Settings** → **Display**. + +The panel bordering the top of the Malcolm desktop is home to a number of useful shortcuts: + +![Malcolm Desktop](./images/screenshots/malcolm_desktop.png) + +### Configuration + +The first time the Malcolm base operating system boots the **Malcolm Configuration** wizard will start automatically. This same configuration script can be run again later by running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning) from the Malcolm installation directory, or clicking the **Configure Malcolm** 🔳 icon in the top panel. + +![Malcolm Configuration on first boot](./images/screenshots/malcolm_first_boot_config.png) + +The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's questions proceed as follows. Note that you may not necessarily see every question listed here depending on how you answered earlier questions. Usually the default selection is what you'll want to select unless otherwise indicated below. The configuration values resulting from these questions are stored in [environment variable files](malcolm-config.md#MalcolmConfigEnvVars) in the `./config` directory. + + +* Malcolm processes will run as UID 1000 and GID 1000. Is this OK? + - Docker runs all of its containers as the privileged `root` user by default. For better security, Malcolm immediately drops to non-privileged user accounts for executing internal processes wherever possible. The `PUID` (**p**rocess **u**ser **ID**) and `PGID` (**p**rocess **g**roup **ID**) environment variables allow Malcolm to map internal non-privileged user accounts to a corresponding [user account](https://en.wikipedia.org/wiki/User_identifier) on the host. +* Should Malcolm use and maintain its own OpenSearch instance? + - Malcolm's default standalone configuration is to use a local [OpenSearch](https://opensearch.org/) instance in a Docker container to index and search network traffic metadata. See [OpenSearch instances](opensearch-instances.md#OpenSearchInstance) for more information about using a remote OpenSearch cluster instead. +* Compress OpenSearch index snapshots? + - Choose whether OpenSearch [index snapshots](https://opensearch.org/docs/2.6/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-management/) should be compressed or not, should you opt to configure them later in [OpenSearch index management](index-management.md#IndexManagement). +* Forward Logstash logs to a secondary remote OpenSearch instance? + - Whether the primary OpenSearch instance is a locally maintained single-node instance or is a remote cluster, Malcolm can be configured additionally forward logs to a secondary remote OpenSearch instance. See [OpenSearch instances](opensearch-instances.md#OpenSearchInstance) for more information about forwarding logs to another OpenSearch instance. +* Setting 16g for OpenSearch and 3g for Logstash. Is this OK? + - Two of Malcolm's main components, OpenSearch and Logstash, require a substantial amount of memory to be set aside for their use. The configuration script will suggest defaults for these values based on the amount of physical memory the system has. The minimum recommended amount of system memory for Malcolm is 16 gigabytes. For a pleasant experience, I would suggest not using a value under 10 gigabytes for OpenSearch and 2500 megabytes for Logstash. +* Setting 3 workers for Logstash pipelines. Is this OK? + - This setting is used to tune the performance and resource utilization of the the `logstash` container. The default is calculated based on the number of logical CPUs the system has. See [Tuning and Profiling Logstash Performance](https://www.elastic.co/guide/en/logstash/current/tuning-logstash.html), [`logstash.yml`](https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html) and [Multiple Pipelines](https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html). +* Restart Malcolm upon system or Docker daemon restart? + - This question allows you to configure Docker's [restart policy](https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy) for Malcolm (ie., the behavior used to restart Malcolm should the system be shut down or rebooted, or should one of Malcolm's components should crash). Possible options are: + + no - do not automatically restart the container + + on-failure - restart the container if it exits due to an error, which manifests as a non-zero exit code + + always - always restart the container if it stops + + unless-stopped - similar to always, except that when the container is stopped (manually or otherwise), it is not restarted even after Docker daemon restarts; this is usually a good choice +* Require encrypted HTTPS connections? + - Malcolm uses [TLS](authsetup.md#TLSCerts) encryption for its web browser-accessible user interfaces. Answering **Y** to this question is almost always what you want. The only situation in which you might want to answer **N** is if you are running Malcolm behind a third-party reverse proxy (e.g., [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)) to handle the issuance of the certificates for you and to broker the connections between clients and Malcolm. Reverse proxies such as these often implement the [ACME](https://datatracker.ietf.org/doc/html/rfc8555) protocol for domain name authentication and can be used to request certificates from certificate authorities like [Let's Encrypt](https://letsencrypt.org/how-it-works/). In this configuration, the reverse proxy will be encrypting the connections instead of Malcolm. **Make sure** you understand what you are doing and ensure that external connections cannot reach ports over which Malcolm will be communicating without encryption, including verifying your local firewall configuration, should you choose to answer **N** to this question. +* Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)? + - See the previous question. If Malcolm is configured behind a remote proxy, Malcolm can prompt you to *Configure labels for Traefik?* to allow it to identify itself to Traefik. +* Specify external Docker network name (or leave blank for default networking) + - This allows you to configure Malcolm to use [custom Docker networks](https://docs.docker.com/compose/networking/#specify-custom-networks). Leave this blank unless you know you want to do otherwise. +* Select authentication method + - Choose **Basic** to use Malcolm's own built-in [local account management](authsetup.md#AuthBasicAccountManagement), **LDAP** to use [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP) or **None** to not require authentication (not recommended) +* Select LDAP server compatibility type + - This question allows you to specify Microsoft Active Directory compatibility (**winldap**) or generic LDAP compatibility (**openldap**, for OpenLDAP, glauth, etc.) when using [LDAP authentication](authsetup.md#AuthLDAP) +* Use StartTLS (rather than LDAPS) for LDAP connection security? + - When using LDAP authentication, this question allows you to configure [LDAP connection security](authsetup.md#AuthLDAPSecurity) +* Store PCAP, log and index files locally under /home/user/Malcolm? + - Malcolm generates a number of large file sets during normal operation: PCAP files, Zeek or Suricata logs, OpenSearch indices, etc. By default all of these are stored in subdirectories in the Malcolm installation directory. This question allows you to specify alternative storage location(s) (for example, a separate dedicated drive or RAID volume) for these artifacts. +* Delete the oldest indices when the database exceeds a certain size? + - Most of the configuration around OpenSearch [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/) can be done in OpenSearch Dashboards. In addition to (or instead of) the OpenSearch index state management operations, Malcolm can also be configured to delete the oldest network session metadata indices when the database exceeds a certain size to prevent filling up all available storage with OpenSearch indices. +* Should Arkime delete PCAP files based on available storage? + - Answering **Y** allows Arkime to prune (delete) old PCAP files based on available disk space (see https://arkime.com/faq#pcap-deletion). +* Automatically analyze all PCAP files with Suricata? + - This option is used to enable [Suricata](https://suricata.io/) (an IDS and threat detection engine) to analyze PCAP files uploaded to Malcolm via its upload web interface. +* Download updated Suricata signatures periodically? + - If your Malcolm instance has internet connectivity, answer **Y** to [enable automatic updates](https://suricata-update.readthedocs.io/en/latest/) of the Suricata rules used by Malcolm. +* Automatically analyze all PCAP files with Zeek? + - This option is used to enable [Zeek](https://www.zeek.org/index.html) (a network analysis framework and IDS) to analyze PCAP files uploaded to Malcolm via its upload web interface. +* Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek? + - If you are using Malcolm in a control systems (OT/ICS) network, answer **Y** to enable ["Best Guess" Fingerprinting for ICS Protocols](ics-best-guess.md#ICSBestGuess). +* Perform reverse DNS lookup locally for source and destination IP addresses in logs? + - If enabled, this option will perform reverse [DNS lookups](https://www.elastic.co/guide/en/logstash/current/plugins-filters-dns.html) on IP addresses found in traffic and use the results to enrich network logs. Answer **Y** if your Malcolm instance has access to a DNS server to perform these lookups. +* Perform hardware vendor OUI lookups for MAC addresses? + - Malcolm will [map MAC addresses](https://standards.ieee.org/products-programs/regauth/) to hardware manufacturer when possible. You probably want to answer **Y** to this question. +* Perform string randomness scoring on some fields? + - If enabled, domain names observed in network traffic (from DNS queries and SSL server names) will be assigned entropy scores as calculated by [`freq`](https://github.com/MarkBaggett/freq). You probably want to answer **Y** to this question. +* Expose OpenSearch port to external hosts? + - Answer **Y** in order for Malcolm's firewall to allow connections from a remote log forwarder (such as Hedgehog Linux) to TCP port 9200 so that Arkime sessions can be written to Malcolm's OpenSearch database. +* Expose Logstash port to external hosts? + - Answer **Y** in order for Malcolm's firewall to allow connections from a remote log forwarder (such as Hedgehog Linux) to TCP port 5044 so that Zeek and Suricata logs can be ingested by Malcolm's Logstash instance. +* Expose Filebeat TCP port to external hosts? + - Answer **Y** in order for Malcolm's firewall to allow connections from a remote log forwarder (such as Hedgehog Linux for resource utilization metrics or other forwarders for other [third-Party logs](third-party-logs.md#ThirdPartyLogs)) to TCP port 5045. +* Use default field values for Filebeat TCP listener? + - Answer **Y** to use the defaults and skip the next five questions about the Filebeat TCP listener. +* Select log format for messages sent to Filebeat TCP listener + - Possible choices include `json` and `raw`; you probably want to choose `json`. +* Source field to parse for messages sent to Filebeat TCP listener + - The default choice (and the one Hedgehog Linux will be sending) is `message`. +* Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener + - The default choice (and the one that corresponds to Malcolm's dashboards built for the resource utilization metrics sent by Hedgehog Linux) is `miscbeat`. +* Field to drop from events sent to Filebeat TCP listener + - You most likely want this to be the default, `message`, to match the field name specified above. +* Tag to apply to messages sent to Filebeat TCP listener + - The default is `_malcolm_beats`, which is used by Malcolm to recognize and parse metrics sent from Hedgehog Linux. +* Expose SFTP server (for PCAP upload) to external hosts? + - Answer **N** unless you plan to use SFTP/SCP to [upload](upload.md#Upload) PCAP files to Malcolm; answering **Y** will expose TCP port 8022 in Malcolm's firewall for SFTP/SCP connections +* Enable file extraction with Zeek? + - Answer **Y** to indicate that Zeek should [extract files](file-scanning.md#ZeekFileExtraction) transfered in observed network traffic. +* Select file extraction behavior + - This determines which files Zeek should extract for scanning: + + `none`: no file extraction + + `interesting`: extraction of files with mime types of common attack vectors + + `mapped`: extraction of files with recognized mime types + + `known`: extraction of files for which any mime type can be determined + + `all`: extract all files +* Select file preservation behavior + - This determines the behavior for preservation of Zeek-extracted files: + + `quarantined`: preserve only flagged files in `./zeek-logs/extract_files/quarantine` + + `all`: preserve flagged files in `./zeek-logs/extract_files/quarantine` and all other extracted files in `./zeek-logs/extract_files/preserved` + + `none`: preserve no extracted files +* Expose web interface for downloading preserved files? + - Answering **Y** enables access to the Zeek-extracted files path through the means of a simple HTTPS directory server at `https:///extracted-files/`. Beware that Zeek-extracted files may contain malware. +* Enter AES-256-CBC encryption password for downloaded preserved files (or leave blank for unencrypted) + - If a password is specified here, Zeek-extracted files downloaded as described under the previous question will be AES-256-CBC-encrypted in an `openssl enc`-compatible format (e.g., `openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe`). +* Scan extracted files with ClamAV? + - Answer **Y** to scan extracted files with [ClamAV](https://www.clamav.net/), an antivirus engine. +* Scan extracted files with Yara? + - Answer **Y** to scan extracted files with [Yara](https://github.com/VirusTotal/yara), a tool used to identify and classify malware samples. +* Scan extracted PE files with Capa? + - Answer **Y** to scan extracted executable files with [Capa](https://github.com/fireeye/capa), a tool for detecting capabilities in executable files. +* Lookup extracted file hashes with VirusTotal? + - Answer **Y** to be prompted for your [**VirusTotal**](https://www.virustotal.com/en/#search) API key which will be used for submitting the hashes of extracted files. Only specify this option if your Malcolm instance has internet connectivity. +* Enter VirusTotal API key + - Specify your [**VirusTotal**](https://www.virustotal.com/en/#search) [API key](https://support.virustotal.com/hc/en-us/articles/115002100149-API) as indicated under the previous question. +* Download updated file scanner signatures periodically? + - If your Malcolm instance has internet connectivity, answer **Y** to enable periodic downloads of signatures used by ClamAV and YARA. +* Should Malcolm run and maintain an instance of NetBox, an infrastructure resource modeling tool? + - Answer **Y** if you would like to use [NetBox](https://netbox.dev/), a suite for modeling and documenting modern networks, to maintain an inventory of your network assets. +* Should Malcolm enrich network traffic using NetBox? + - Answer **Y** to [cross-reference](asset-interaction-analysis.md#AssetInteractionAnalysis) network traffic logs your NetBox asset inventory. +* Specify default NetBox site name + - NetBox has the concept of [sites](https://demo.netbox.dev/static/docs/core-functionality/sites-and-racks/). Sites can have overlapping IP address ranges, of course. This default site name will be used as a query parameter for these enrichment lookups. +* Should Malcolm capture live network traffic to PCAP files for analysis with Arkime? + - Malcolm itself can perform [live analysis](live-analysis.md#LocalPCAP) of traffic it sees on another network interface (ideally not the same one used for its management). If you are using Hedgehog Linux you probably want to answer **N** to this question. If you want Malcolm to observe and capture traffic instead of or in addition to a sensor running Hedgehog Linux, answer **Y**. +* Capture packets using netsniff-ng? + - Answer **Y** for Malcolm to [capture network traffic](live-analysis.md#LocalPCAP) on the local network interface(s) indicated using [netsniff-ng](http://netsniff-ng.org/) (instead of tcpdump). These PCAP files are then periodically rotated into Arkime for analysis. netsniff-ng is Malcolm's preferred tool for capturing network traffic. +* Capture packets using tcpdump? + - Answer **Y** for Malcolm to [capture network traffic](live-analysis.md#LocalPCAP) on the local network interface(s) indicated using [tcpdump](https://www.tcpdump.org/) (instead of netsniff-ng). Do not answer **Y** for both `tcpdump` and `netsniff-ng`. +* Should Malcolm analyze live network traffic with Suricata? + - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Suricata. If you are using Hedgehog Linux you probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic." +* Should Malcolm analyze live network traffic with Zeek? + - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Zeek. If you are using Hedgehog Linux you probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic." +* Specify capture interface(s) (comma-separated) + - Specify the network interface(s) for [live traffic analysis](live-analysis.md#LocalPCAP) if it is enabled for netsniff-ng, tcpdump, Suricata or Zeek as described above. For multiple interfaces, separate the interface names with a comma (e.g., `enp0s25` or `enp10s0,enp11s0`). +* Capture filter (tcpdump-like filter expression; leave blank to capture all traffic) + - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) as described above, you may optionally provide a capture filter. This filter will be used to limit what traffic the PCAP service ([netsniff-ng](http://netsniff-ng.org/) or [tcpdump](https://www.tcpdump.org/)) and the traffic analysis services ([Zeek](https://www.zeek.org/) and [Suricata](https://suricata.io/)) will see. Capture filters are specified using [Berkeley Packet Filter (BPF)](http://biot.com/capstats/bpf.html) syntax. For example, to indicate that Malcolm should ignore the ports it uses to communicate with Hedgehog Linux, you could specify `not port 5044 and not port 5045 and not port 8005 and not port 9200`. +* Disable capture interface hardware offloading and adjust ring buffer sizes? + - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) and you answer **Y** to this question, Malcolm will [use `ethtool`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/nic-capture-setup.sh) to disable NIC hardware offloading features and adjust ring buffer sizes for capture interface(s); this should be enabled if the interface(s) are being used for capture **only**, otherwise answer **N**. If you're unsure, you should probably answer **N**. +* Enable dark mode for OpenSearch Dashboards? + - Answer **Y** if you prefer dark dashboards, **N** if you prefer light ones. + +### Configure Hostname and Time Sync + +If you wish to change Malcolm's hostname or configure system time synchronization, open a terminal (the icon immediately to the right of the **Applications** menu icon at the top of the Malcolm desktop) and run `sudo configure-interfaces.py` then enter your password. If you get an error about your user not belonging to the `sudo` group, run `su -c configure-interfaces.py` and use the `root` password instead. + +Here you can configure Malcolm to keep its time synchronized with either an NTP server (using the NTP protocol), another [Malcolm]({{ site.github.repository_url }}) aggregator or another HTTP/HTTPS server. On the next dialog, choose the time synchronization method you wish to configure. + +![Time synchronization method](./images/hedgehog/images/time_sync_mode.png) + +If **htpdate** is selected, you will be prompted to enter the IP address or hostname and port of an HTTP/HTTPS server (for another Malcolm instance, port `9200` may be used) and the time synchronization check frequency in minutes. A test connection will be made to determine if the time can be retrieved from the server. + +![*htpdate* configuration](./images/hedgehog/images/htpdate_setup.png) + +If *ntpdate* is selected, you will be prompted to enter the IP address or hostname of the NTP server. + +![NTP configuration](./images/hedgehog/images/ntp_host.png) + +Upon configuring time synchronization, a "Time synchronization configured successfully!" message will be displayed, after which you will be returned to the welcome screen. Select **Cancel**. + +### Setting up Authentication + +Once the [configuration](#MalcolmConfig) questions have been completed as described above, you can click the circular yellow Malcolm icon the panel at the top of the [desktop](#MalcolmDesktop) to start Malcolm. As you have not yet configured authentication, you will be prompted to do so. This authentication setup can be run again later by running [`./scripts/auth_setup`](authsetup.md#AuthSetup) from the Malcolm installation directory. + +![Setting up authentication on Malcolm's first run](./images/screenshots/iso_install_auth_setup.png) + +*The Configure Authentication dialog* + +As this is the first time setting up authentication, ensure the **all** option is selected and press **OK**. + +You will be prompted to do the following: + +* Store administrator username/password for local Malcolm access: specifies the administrator credentials when using [local account management](#AuthBasicAccountManagement) (instead of LDAP) for authentication. +* (Re)generate self-signed certificates for HTTPS access: creates the self-signed [TLS certificates](authsetup.md#TLSCerts) used for encrypting the connections between users' web browsers and Malcolm +* (Re)generate self-signed certificates for a remote log forwarder: creates the self-signed [TLS certificates](authsetup.md#TLSCerts) for communications from a remote log forwarder (such as Hedgehog Linux or forwarders for other [third-Party logs](third-party-logs.md#ThirdPartyLogs)) +* Configure remote primary or secondary OpenSearch instance: **N** if you are using Malcolm's local OpenSearch instance, or **Y** to specify credentials for a remote OpenSearch cluster (see [OpenSearch instances](opensearch-instances.md#OpenSearchInstance)) +* Store username/password for email alert sender account: answer **Y** to specify credentials for [Email Sender Accounts](alerting.md#AlertingEmail) to be used with OpenSearch Dashboards' alerting plugin +* (Re)generate internal passwords for NetBox: if you answered **Y** to "Should Malcolm run and maintain an instance of NetBox...?" during the configuration questions, you should need to asnwer **Y** to this question at least the first time you start Malcolm +* Transfer self-signed client certificates to a remote log forwarder: in order for a Hedgehog Linux to securely communicate with Malcolm, it needs the client certificates generated when you answered **Y** to "(Re)generate self-signed certificates for a remote log forwarder" a few moments ago. Malcolm can facilitate the secure transfer of these to a sensor running Hedgehog. If you will be continuing on to configure a sensor running Hedgehog Linux, answer **Y** here. + - You're prompted to "Run configure-capture on the remote log forwarder, select 'Configure Forwarding,' then 'Receive client SSL files...'." Continue on with the instructions for [Hedgehog Linux Installation and Configuration](#HedgehogInstallAndConfig), and return here and press **Enter** when you get to **[ssl-client-receive](#HedgehogGetCerts): Receive client SSL files for filebeat from Malcolm** below. After that process is complete, press **OK** and Malcolm will continue to start up. + +## Hedgehog Linux Installation and Configuration + +More detailed instructions for configuring Hedgehog Linux can be found in that section of the [documentation](hedgehog.md). + +## Hedgehog Linux ISO Installation + +The Hedgehog Linux installation ISO follows the same process as the [Malcolm installation](#ISOInstallMalcolm) above. + +The installer will ask for a few pieces of information prior to installing Hedgehog Linux: + +* **Root password** – a password for the privileged root account which is rarely needed (only during the configuration of the sensors network interfaces and setting the sensor host name) +* **User password** – a password for the non-privileged `sensor` account under which the various sensor capture and forwarding services run +* **Encryption password** – (optional) if the encrypted installation option was selected at boot, the encryption password must be entered every time the sensor boots + +At the end of the installation process, you will be prompted with a few self-explanatory yes/no questions: + +* **Disable IPv6?** +* **Automatically login to the GUI session?** +* **Should the GUI session be locked due to inactivity?** +* **Display the [Standard Mandatory DoD Notice and Consent Banner](https://www.stigviewer.com/stig/application_security_and_development/2018-12-24/finding/V-69349)?** *(only applies when installed on U.S. government information systems)* + +Following these prompts, the installer will reboot and Hedgehog Linux will boot into [kiosk mode](hedgehog-boot.md#HedgehogKioskMode). + +Kiosk mode can be exited by connecting an external USB keyboard and pressing **Alt+F4**, upon which the *sensor* user's desktop is shown. + +### Desktop Environment + +The Hedgehog Linux base operating system is a [hardened](hedgehog-hardening.md#HedgehogHardening) Linux installation based on the current [stable release](https://wiki.debian.org/DebianStable) of [Debian](https://www.debian.org/) [running](https://wiki.debian.org/Xfce) the [XFCE desktop environment](https://www.xfce.org/). + +Display resolution should be detected and adjusted automatically. If you need to make changes to display properties, click the **Applications** menu and select **Settings** → **Display**. + +The panel bordering the top of the Malcolm desktop is home to a number of useful shortcuts: + +![Hedgehog Linux desktop](./images/hedgehog/images/desktop.png) + +*The Hedgehog Linux desktop* + +* **Terminal** - opens a command prompt in a terminal emulator +* **Browser** - opens a web browser +* **Kiosk** – returns the sensor to kiosk mode +* **README** – displays this document +* **Sensor status** – displays a list with the status of each sensor service +* **Configure capture and forwarding** – opens a dialog for configuring the sensor's capture and forwarding services, as well as specifying which services should autostart upon boot +* **Configure interfaces and hostname** – opens a dialog for configuring the sensor's network interfaces and setting the sensor's hostname +* **Restart sensor services** - stops and restarts all of the [autostart services](#HedgehogConfigAutostart) + +## Configure Hostname, Interfaces and Time Sync + +The first step of sensor configuration is to configure the network interfaces and sensor hostname. Clicking the **Configure Interfaces and Hostname** toolbar icon (or, if you are at a command line prompt, running `configure-interfaces`) will prompt you for the root password you created during installation, after which the configuration welcome screen is shown. Select **Continue** to proceed. + +You may next select whether to configure the network interfaces, hostname, or time synchronization. + +![Selection to configure network interfaces, hostname, or time synchronization](./images/hedgehog/images/root_config_mode.png) + +Selecting **Hostname**, you will be presented with a summary of the current sensor identification information, after which you may specify a new sensor hostname. This name will be used to tag all events forwarded from this sensor in the events' **host.name** field. + +![Specifying a new sensor hostname](./images/hedgehog/images/hostname_setting.png) + +Returning to the configuration mode selection, choose **Interface**. You will be prompted if you would like help identifying network interfaces. If you select **Yes**, you will be prompted to select a network interface, after which that interface's link LED will blink for 10 seconds to help you in its identification. This network interface identification aid will continue to prompt you to identify further network interfaces until you select **No**. + +You will be presented with a list of interfaces to configure as the sensor management interface. This is the interface the sensor itself will use to communicate with the network in order to, for example, forward captured logs to an aggregate server. In order to do so, the management interface must be assigned an IP address. This is generally **not** the interface used for capturing data. Select the interface to which you wish to assign an IP address. The interfaces are listed by name and MAC address and the associated link speed is also displayed if it can be determined. For interfaces without a connected network cable, generally a `-1` will be displayed instead of the interface speed. + +![Management interface selection](./images/hedgehog/images/select_iface.png) + +Depending on the configuration of your network, you may now specify how the management interface will be assigned an IP address. In order to communicate with an event aggregator over the management interface, either **static** or **dhcp** must be selected. + +![Interface address source](./images/hedgehog/images/iface_mode.png) + +If you select static, you will be prompted to enter the IP address, netmask, and gateway to assign to the management interface. + +![Static IP configuration](./images/hedgehog/images/iface_static.png) + +In either case, upon selecting **OK** the network interface will be brought down, configured, and brought back up, and the result of the operation will be displayed. You may choose **Quit** upon returning to the configuration tool's welcome screen. + +Returning to the configuration mode selection, choose **Time Sync**. Here you can configure the sensor to keep its time synchronized with either an NTP server (using the NTP protocol) or a local [Malcolm]({{ site.github.repository_url }}) aggregator or another HTTP/HTTPS server. On the next dialog, choose the time synchronization method you wish to configure. + +![Time synchronization method](./images/hedgehog/images/time_sync_mode.png) + +If **htpdate** is selected, you will be prompted to enter the IP address or hostname and port of an HTTP/HTTPS server (for a Malcolm instance, port `9200` may be used) and the time synchronization check frequency in minutes. A test connection will be made to determine if the time can be retrieved from the server. + +![*htpdate* configuration](./images/hedgehog/images/htpdate_setup.png) + +If *ntpdate* is selected, you will be prompted to enter the IP address or hostname of the NTP server. + +![NTP configuration](./images/hedgehog/images/ntp_host.png) + +Upon configuring time synchronization, a "Time synchronization configured successfully!" message will be displayed, after which you will be returned to the welcome screen. Select **Cancel**. + +## Configure Capture + +Clicking the **Configure Capture and Forwarding** toolbar icon (or, if you are at a command prompt, running `configure-capture`) will launch the configuration tool for capture and forwarding. The root password is not required as it was for the interface and hostname configuration, as sensor services are run under the non-privileged sensor account. Select **Continue** to proceed. You may select from a list of configuration options. + +![Select configuration mode](./images/hedgehog/images/capture_config_main.png) + +### Capture + +Choose **Configure Capture** to configure parameters related to traffic capture and local analysis. You will be prompted if you would like help identifying network interfaces. If you select **Yes**, you will be prompted to select a network interface, after which that interface's link LED will blink for 10 seconds to help you in its identification. This network interface identification aid will continue to prompt you to identify further network interfaces until you select **No**. + +You will be presented with a list of network interfaces and prompted to select one or more capture interfaces. An interface used to capture traffic is generally a different interface than the one selected previously as the management interface, and each capture interface should be connected to a network tap or span port for traffic monitoring. Capture interfaces are usually not assigned an IP address as they are only used to passively “listen” to the traffic on the wire. The interfaces are listed by name and MAC address and the associated link speed is also displayed if it can be determined. For interfaces without a connected network cable, generally a `-1` will be displayed instead of the interface speed. + +![Select capture interfaces](./images/hedgehog/images/capture_iface_select.png) + +Upon choosing the capture interfaces and selecting OK, you may optionally provide a capture filter. This filter will be used to limit what traffic the PCAP service ([netsniff-ng](http://netsniff-ng.org/) or [tcpdump](https://www.tcpdump.org/)) and the traffic analysis services ([`zeek`](https://www.zeek.org/) and [`suricata`](https://suricata.io/)) will see. Capture filters are specified using [Berkeley Packet Filter (BPF)](http://biot.com/capstats/bpf.html) syntax. For example, to indicate that Hedgehog should ignore the ports it uses to communicate with Malcolm, you could specify `not port 5044 and not port 5045 and not port 8005 and not port 9200`. Clicking **OK** will attempt to validate the capture filter, if specified, and will present a warning if the filter is invalid. + +![Specify capture filters](./images/hedgehog/images/capture_filter.png) + +Next you must specify the paths where captured PCAP files and logs will be stored locally on the sensor. If the installation worked as expected, these paths should be prepopulated to reflect paths on the volumes formatted at install time for the purpose storing these artifacts. Usually these paths will exist on separate storage volumes. Enabling the PCAP and log pruning autostart services (see the section on autostart services below) will enable monitoring of these paths to ensure that their contents do not consume more than 90% of their respective volumes' space. Choose **OK** to continue. + +![Specify capture paths](./images/hedgehog/images/capture_paths.png) + +### File extraction and scanning + +Hedgehog Linux can leverage Zeek's knowledge of network protocols to automatically detect file transfers and extract those files from network traffic as Zeek sees them. + +To specify which files should be extracted, specify the Zeek file carving mode: + +![Zeek file carving mode](./images/hedgehog/images/zeek_file_carve_mode.png) + +If you're not sure what to choose, either of **mapped (except common plain text files)** (if you want to carve and scan almost all files) or **interesting** (if you only want to carve and scan files with [mime types of common attack vectors]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/sensor-iso/interface/sensor_ctl/zeek/extractor_override.interesting.zeek)) is probably a good choice. + +Next, specify which carved files to preserve (saved on the sensor under `/capture/bro/capture/extract_files/quarantine` by default). In order to not consume all of the sensor's available storage space, the oldest preserved files will be pruned along with the oldest Zeek logs as described below with **AUTOSTART_PRUNE_ZEEK** in the [autostart services](#HedgehogConfigAutostart) section. + +You'll be prompted to specify which engine(s) to use to analyze extracted files. Extracted files can be examined through any of three methods: + +![File scanners](./images/hedgehog/images/zeek_file_carve_scanners.png) + +* scanning files with [**ClamAV**](https://www.clamav.net/); to enable this method, select **ZEEK_FILE_SCAN_CLAMAV** when specifying scanners for Zeek-carved files +* submitting file hashes to [**VirusTotal**](https://www.virustotal.com/en/#search); to enable this method, select **ZEEK_FILE_SCAN_VTOT** when specifying scanners for Zeek-carved files, then manually edit `/opt/sensor/sensor_ctl/control_vars.conf` and specify your [VirusTotal API key](https://developers.virustotal.com/reference) in `VTOT_API2_KEY` +* scanning files with [**Yara**](https://github.com/VirusTotal/yara); to enable this method, select **ZEEK_FILE_SCAN_YARA** when specifying scanners for Zeek-carved files +* scanning portable executable (PE) files with [**Capa**](https://github.com/fireeye/capa); to enable this method, select **ZEEK_FILE_SCAN_CAPA** when specifying scanners for Zeek-carved files + +Files which are flagged as potentially malicious will be logged as Zeek `signatures.log` entries, and can be viewed in the **Signatures** dashboard in [OpenSearch Dashboards]({{ site.github.repository_url }}#DashboardsVisualizations) when forwarded to Malcolm. + +![File quarantine](./images/hedgehog/images/file_quarantine.png) + +Finally, you will be presented with the list of configuration variables that will be used for capture, including the values which you have configured up to this point in this section. Upon choosing **OK** these values will be written back out to the sensor configuration file located at `/opt/sensor/sensor_ctl/control_vars.conf`. It is not recommended that you edit this file manually. After confirming these values, you will be presented with a confirmation that these settings have been written to the configuration file, and you will be returned to the welcome screen. + +## Configure Forwarding + +Select **Configure Forwarding** to set up forwarding logs and statistics from the sensor to an aggregator server, such as [Malcolm]({{ site.github.repository_url }}). + +![Configure forwarders](./images/hedgehog/images/forwarder_config.png) + +There are three forwarder services used on the sensor, each for forwarding a different type of log or sensor metric. + +### arkime-capture: Arkime session forwarding + +arkime-[capture](https://github.com/arkime/arkime/tree/master/capture) is not only used to capture PCAP files, but also the parse raw traffic into sessions and forward this session metadata to an [OpenSearch](https://opensearch.org/) database so that it can be viewed in [Arkime viewer](https://arkime.com/), whether standalone or as part of a [Malcolm]({{ site.github.repository_url }}) instance. If you're using Hedgehog Linux with Malcolm, please read [Correlating Zeek logs and Arkime sessions]({{ site.github.repository_url }}#ZeekArkimeFlowCorrelation) in the Malcolm documentation for more information. + +First, select the OpenSearch connection transport protocol, either **HTTPS** or **HTTP**. If the metrics are being forwarded to Malcolm, select **HTTPS** to encrypt messages from the sensor to the aggregator using TLS v1.2 using ECDHE-RSA-AES128-GCM-SHA256. If **HTTPS** is chosen, you must choose whether to enable SSL certificate verification. If you are using a self-signed certificate (such as the one automatically created during [Malcolm's configuration]({{ site.github.repository_url }}#configure-authentication)), choose **None**. + +![OpenSearch connection protocol](./images/hedgehog/images/opensearch_connection_protocol.png) ![OpenSearch SSL verification](./images/hedgehog/images/opensearch_ssl_verification.png) + +Next, enter the **OpenSearch host** IP address (ie., the IP address of the aggregator) and port. These metrics are written to an OpenSearch database using a RESTful API, usually using port 9200. Depending on your network configuration, you may need to open this port in your firewall to allow this connection from the sensor to the aggregator. + +![OpenSearch host and port](./images/hedgehog/images/arkime-capture-ip-port.png) + +You will be asked to enter authentication credentials for the sensor's connections to the aggregator's OpenSearch API. After you've entered the username and the password, the sensor will attempt a test connection to OpenSearch using the connection information provided. If the Malcolm services have not yet been started, you may receive a **Connection refused** error. You may select **Ignore Error** for the credentials to be accepted anyway. + +![OpenSearch username](./images/hedgehog/images/opensearch_username.png) ![OpenSearch password](./images/hedgehog/images/opensearch_password.png) ![Successful OpenSearch connection](./images/hedgehog/images/opensearch_connection_success.png) + +You will be shown a dialog for a list of IP addresses used to populate an access control list (ACL) for hosts allowed to connect back to the sensor for retrieving session payloads from its PCAP files for display in Arkime viewer. The list will be prepopulated with the IP address entered a few screens prior to this one. + +![PCAP retrieval ACL](./images/hedgehog/images/malcolm_arkime_reachback_acl.png) + +Arkime supports [compression](https://arkime.com/settings#writer-simple) for the PCAP files it creates. Select `none` (at the cost of requiring more storage for PCAP files saved on the sensor) or `zstd` (at the cost of higher CPU load when writing and reading PCAP files). If you choose [`zstd`](https://en.wikipedia.org/wiki/Zstd?lang=en), you'll also be prompted for the compression level (something like `3` is probably a good choice). + +![PCAP compression](./images/hedgehog/images/pcap_compression.png) + +Finally, you'll be given the opportunity to review the all of the Arkime `capture` options you've specified. Selecting **OK** will cause the parameters to be saved and you will be returned to the configuration tool's welcome screen. + +![capture settings confirmation](./images/hedgehog/images/arkime_confirm.png) + +### ssl-client-receive: Receive client SSL files for filebeat from Malcolm + +As described above in the Malcolm configuration under [Setting up Authentication](#MalcolmAuthSetup), in order for a Hedgehog Linux to securely communicate with Malcolm, it needs the client certificates generated when you answered **Y** to "(Re)generate self-signed certificates for a remote log forwarder" during that setup. Malcolm can facilitate the secure transfer of these to a sensor running Hedgehog. + +![ssl-client-receive](./images/hedgehog/images/ssl_client_receive.png) + +*Select* ***ssl-client-receive*** *on Hedgehog* + +Select **ssl-client-receive** from the **Configuration Mode** options on the Hedgehog, then press **OK** when prompted "Run auth_setup on Malcolm 'Transfer self-signed client certificates...'." [Return](#MalcolmAuthSetup) to the Malcolm instance where `auth_setup` is running (or re-run it if needed) and press **OK**. You'll see a message with the title **ssl-client-transmit** that looks like this: + +![ssl-client-transmit](./images/hedgehog/images/ssl_client_transmit.png) + +*Run* ***auth_setup*** *and select* ***ssl-client-transmit*** *on Malcolm* + +Note Malcolm's IP address (`192.168.122.5` in the screenshot above) and the single-use code phrase (`8736-janet-kilo-tonight` in the screenshot above) and enter them on the Hedgehog: + +![ssl-client-receive-code](./images/hedgehog/images/ssl_client_receive_code.png) + +*Enter Malcolm IP address and single-use code phrase on Hedgehog* + +After a few seconds (hopefully) a progress bar will update and show the files have been 100% transfered. They are automatically saved into the `/opt/sensor/sensor_ctl/logstash-client-certificates` directory on the sensor. + +Press **OK** on the Malcolm instance. If Malcolm's `auth_setup` process was being during Malcolm's first run, Malcolm will continue to start up. + +### filebeat: Zeek and Suricata log forwarding + +[Filebeat](https://www.elastic.co/products/beats/filebeat) is used to forward [Zeek](https://www.zeek.org/) and [Suricata](https://suricata.io/) logs to a remote [Logstash](https://www.elastic.co/products/logstash) instance for further enrichment prior to insertion into an [OpenSearch](https://opensearch.org/) database. + +To configure filebeat, first provide the log path (the same path previously configured for log file generation). + +![Configure filebeat for log forwarding](./images/hedgehog/images/filebeat_log_path.png) + +You must also provide the IP address of the Logstash instance to which the logs are to be forwarded, and the port on which Logstash is listening. These logs are forwarded using the Beats protocol, generally over port 5044. Depending on your network configuration, you may need to open this port in your firewall to allow this connection from the sensor to the aggregator. + +![Configure filebeat for log forwrading](./images/hedgehog/images/filebeat_ip_port.png) + +Next you are asked whether the connection used for log forwarding should be done **unencrypted** or over **SSL**. Unencrypted communication requires less processing overhead and is simpler to configure, but the contents of the logs may be visible to anyone who is able to intercept that traffic. + +![Filebeat SSL certificate verification](./images/hedgehog/images/filebeat_ssl.png) + +If **SSL** is chosen, you must choose whether to enable [SSL certificate verification](https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html). If you are using a self-signed certificate (such as the one automatically created during [Malcolm's configuration]({{ site.github.repository_url }}#configure-authentication), choose **None**. + +![Unencrypted vs. SSL encryption for log forwarding](./images/hedgehog/images/filebeat_ssl_verify.png) + +The last step for SSL-encrypted log forwarding is to specify the SSL certificate authority, certificate, and key files. These files must match those used by the Logstash instance receiving the logs on the aggregator. The steps above under **[ssl-client-receive](#HedgehogGetCerts): Receive client SSL files for filebeat from Malcolm** should have taken care of the transfer of these files between Malcolm and Hedgehog. Otherwise, manually copy ("sneakernet") the files from the `filebeat/certs/` subdirectory of the Malcolm installation to `/opt/sensor/sensor_ctl/logstash-client-certificates` on Hedgehog. + +![SSL certificate files](./images/hedgehog/images/filebeat_certs.png) + +Once you have specified all of the filebeat parameters, you will be presented with a summary of the settings related to the forwarding of these logs. Selecting **OK** will cause the parameters to be written to filebeat's configuration keystore under `/opt/sensor/sensor_ctl/logstash-client-certificates` and you will be returned to the configuration tool's welcome screen. If the Malcolm services have not yet been started, you may receive a **could not connect** error. You may select **Ignore Error** for the settings to be accepted anyway. + +![Confirm filebeat settings](./images/hedgehog/images/filebeat_confirm.png) + +### miscbeat: System metrics forwarding + +The sensor uses [Fluent Bit](https://fluentbit.io/) to gather miscellaneous system resource metrics (CPU, network I/O, disk I/O, memory utilization, temperature, etc.) and the [Beats](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) protocol to forward these metrics to a remote [Logstash](https://www.elastic.co/products/logstash) instance for further enrichment prior to insertion into an [OpenSearch](https://opensearch.org/) database. Metrics categories can be enabled/disabled as described in the [autostart services](#HedgehogConfigAutostart) section of this document. + +This forwarder's configuration is almost identical to that of [filebeat](#Hedgehogfilebeat) in the previous section. Select `miscbeat` from the forwarding configuration mode options and follow the same steps outlined above to set up this forwarder. + +### Autostart services + +Once the forwarders have been configured, the final step is to **Configure Autostart Services**. Choose this option from the configuration mode menu after the welcome screen of the sensor configuration tool. + +Despite configuring capture and/or forwarder services as described in previous sections, only services enabled in the autostart configuration will run when the sensor starts up. The available autostart processes are as follows (recommended services are in **bold text**): + +* **AUTOSTART_ARKIME** - [capture](#Hedgehogarkime-capture) PCAP engine for traffic capture, as well as traffic parsing and metadata insertion into OpenSearch for viewing in [Arkime](https://arkime.com/). If you are using Hedgehog Linux along with [Malcolm]({{ site.github.repository_url }}) or another Arkime installation, this is probably the packet capture engine you want to use. +* **AUTOSTART_CLAMAV_UPDATES** - Virus database update service for ClamAV (requires sensor to be connected to the internet) +* **AUTOSTART_FILEBEAT** - [filebeat](#Hedgehogfilebeat) Zeek and Suricata log forwarder +* **AUTOSTART_FLUENTBIT_AIDE** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/exec) [AIDE](https://aide.github.io/) file system integrity checks +* **AUTOSTART_FLUENTBIT_AUDITLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/tail) [auditd](https://man7.org/linux/man-pages/man8/auditd.8.html) logs +* *AUTOSTART_FLUENTBIT_KMSG* - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/kernel-logs) the Linux kernel log buffer (these are generally reflected in syslog as well, which may make this agent redundant) +* **AUTOSTART_FLUENTBIT_METRICS** - [Fluent Bit](https://fluentbit.io/) agent for collecting [various](https://docs.fluentbit.io/manual/pipeline/inputs) system resource and performance metrics +* **AUTOSTART_FLUENTBIT_SYSLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/syslog) Linux syslog messages +* **AUTOSTART_FLUENTBIT_THERMAL** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/thermal) system temperatures (only applicable on actual hardware, not if Hedgehog is running on a virtual machine) +* **AUTOSTART_MISCBEAT** - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) forwarder which sends system metrics collected by [Fluent Bit](https://fluentbit.io/) to a remote Logstash instance (e.g., [Malcolm]({{ site.github.repository_url }})'s) +* *AUTOSTART_NETSNIFF* - [netsniff-ng](http://netsniff-ng.org/) PCAP engine for saving packet capture (PCAP) files +* **AUTOSTART_PRUNE_PCAP** - storage space monitor to ensure that PCAP files do not consume more than 90% of the total size of the storage volume to which PCAP files are written +* **AUTOSTART_PRUNE_ZEEK** - storage space monitor to ensure that Zeek logs do not consume more than 90% of the total size of the storage volume to which Zeek logs are written +* **AUTOSTART_SURICATA** - [Suricata](https://suricata.io/) traffic analysis engine +* **AUTOSTART_SURICATA_UPDATES** - Rule update service for Suricata (requires sensor to be connected to the internet) +* *AUTOSTART_TCPDUMP* - [tcpdump](https://www.tcpdump.org/) PCAP engine for saving packet capture (PCAP) files +* **AUTOSTART_ZEEK** - [Zeek](https://www.zeek.org/) traffic analysis engine + +Note that only one packet capture engine ([capture](https://arkime.com/), [netsniff-ng](http://netsniff-ng.org/), or [tcpdump](https://www.tcpdump.org/)) can be used. + +![Autostart services](./images/hedgehog/images/autostarts.png) + +Once you have selected the autostart services, you will be prompted to confirm your selections. Doing so will cause these values to be written back out to the `/opt/sensor/sensor_ctl/control_vars.conf` configuration file. + +![Autostart services confirmation](./images/hedgehog/images/autostarts_confirm.png) + +After you have completed configuring the sensor it is recommended that you **reboot** Hedgehog to ensure all new settings take effect. If rebooting is not an option, you may click the **Restart Sensor Services** menu icon in the top menu bar, or open a terminal and run: + +``` +/opt/sensor/sensor_ctl/shutdown && sleep 10 && /opt/sensor/sensor_ctl/supervisor.sh +``` + +This will cause the sensor services controller to stop, wait a few seconds, and restart. You can check the status of the sensor's processes by choosing **Sensor Status** from the sensor's kiosk mode, clicking the **Sensor Service Status** toolbar icon, or running `/opt/sensor/sensor_ctl/status` from the command line: + +``` +$ /opt/sensor/sensor_ctl/status +arkime:arkime-capture RUNNING pid 6455, uptime 0:03:17 +arkime:arkime-viewer RUNNING pid 6456, uptime 0:03:17 +beats:filebeat RUNNING pid 6457, uptime 0:03:17 +beats:miscbeat RUNNING pid 6458, uptime 0:03:17 +clamav:clamav-service RUNNING pid 6459, uptime 0:03:17 +clamav:clamav-updates RUNNING pid 6461, uptime 0:03:17 +fluentbit-auditlog RUNNING pid 6463, uptime 0:03:17 +fluentbit-kmsg STOPPED Not started +fluentbit-metrics:cpu RUNNING pid 6466, uptime 0:03:17 +fluentbit-metrics:df RUNNING pid 6471, uptime 0:03:17 +fluentbit-metrics:disk RUNNING pid 6468, uptime 0:03:17 +fluentbit-metrics:mem RUNNING pid 6472, uptime 0:03:17 +fluentbit-metrics:mem_p RUNNING pid 6473, uptime 0:03:17 +fluentbit-metrics:netif RUNNING pid 6474, uptime 0:03:17 +fluentbit-syslog RUNNING pid 6478, uptime 0:03:17 +fluentbit-thermal RUNNING pid 6480, uptime 0:03:17 +netsniff:netsniff-enp1s0 STOPPED Not started +prune:prune-pcap RUNNING pid 6484, uptime 0:03:17 +prune:prune-zeek RUNNING pid 6486, uptime 0:03:17 +supercronic RUNNING pid 6490, uptime 0:03:17 +suricata RUNNING pid 6501, uptime 0:03:17 +tcpdump:tcpdump-enp1s0 STOPPED Not started +zeek:capa RUNNING pid 6553, uptime 0:03:17 +zeek:clamav RUNNING pid 6512, uptime 0:03:17 +zeek:logger RUNNING pid 6554, uptime 0:03:17 +zeek:virustotal STOPPED Not started +zeek:watcher RUNNING pid 6510, uptime 0:03:17 +zeek:yara RUNNING pid 6548, uptime 0:03:17 +zeek:zeekctl RUNNING pid 6502, uptime 0:03:17 +``` + +## Verifying Traffic Capture and Forwarding + +The easiest way to verify that network traffic is being captured by the sensor and forwarded to Malcolm is through Malcolm's Arkime [Sessions](arkime.md#ArkimeSessions) interface. + +If you are logged into the Malcolm [desktop environment](#MalcolmDesktop), click the Arkime icon (**🦉**) in the top panel. If you're connecting from another browser, connect to `https://`. + +As Malcolm is using [self-signed TLS certificates](authsetup.md#TLSCerts), you will likely have to confirm an exception in your browser to allow the self-signed certificates to proceed. Enter the credentials you specified when you [configured authentication](#MalcolmAuthSetup). + +Arkime's sessions view will be displayed. To view records from a specific Hedgehog Linux sensor, you can filter on the `node` field. In the search bar, enter `node == hedgehoghostname` (replacing `hedgehoghostname` with the [hostname](#HedgehogInterfaces) you configured for Hedgehog). See the [Search Queries in Arkime and OpenSearch](queries-cheat-sheet.md#SearchCheatSheet) cheat sheet for more search syntax hints. + +![Arkime's Sessions view](./images/screenshots/arkime_sessions_node_filter.png) + +*Arkime's sessions view with a filter on `node`* + +Arkime's views button (indicated by the eyeball **👁** icon) allows overlaying additional previously-specified filters onto the current sessions filters. For convenience, Malcolm provides several Arkime preconfigured views including filtering on the `event.provider` and `event.dataset` fields. This can be combined with the `node` filter described above to verify that different network log types (e.g., Arkime sessions, Zeek logs, Suricata alerts, etc.) are all being captured and forwarded correctly. + +![Malcolm views](./images/screenshots/arkime_apply_view.png) diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md index 4c013dbbb..f2946d534 100644 --- a/docs/malcolm-iso.md +++ b/docs/malcolm-iso.md @@ -41,7 +41,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu ``` … -Finished, created "/malcolm-build/malcolm-iso/malcolm-23.04.0.iso" +Finished, created "/malcolm-build/malcolm-iso/malcolm-23.05.0.iso" … ``` @@ -82,6 +82,6 @@ Following these prompts, the installer will reboot and the Malcolm base operatin When the system boots for the first time, the Malcolm Docker images will load if the installer was built with pre-packaged installation files as described above. Wait for this operation to continue (the progress dialog will disappear when they have finished loading) before continuing the setup. -Open a terminal (click the red terminal 🗔 icon next to the Debian swirl logo 🍥 menu button in the menu bar). At this point, setup is similar to the steps described in the [Quick start](quickstart.md#QuickStart) section. Navigate to the Malcolm directory (`cd ~/Malcolm`) and run [`auth_setup`](authsetup.md#AuthSetup) to configure authentication. If the ISO didn't have pre-packaged Malcolm images, or if you'd like to retrieve the latest updates, run `docker-compose pull`. Finalize your configuration by running `scripts/install.py --configure` and follow the prompts as illustrated in the [installation example](ubuntu-install-example.md#InstallationExample). +Open a terminal (click the red terminal 🗔 icon next to the Debian swirl logo 🍥 menu button in the menu bar). At this point, setup is similar to the steps described in the [Quick start](quickstart.md#QuickStart) section. Navigate to the Malcolm directory (`cd ~/Malcolm`) and run [`auth_setup`](authsetup.md#AuthSetup) to configure authentication. If the ISO didn't have pre-packaged Malcolm images, or if you'd like to retrieve the latest updates, run `docker-compose pull`. Finalize your configuration by running `scripts/configure` and follow the prompts as illustrated in the [installation example](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig). Once Malcolm is configured, you can [start Malcolm](running.md#Starting) via the command line or by clicking the circular yellow Malcolm icon in the menu bar. \ No newline at end of file diff --git a/docs/malcolm-preparation.md b/docs/malcolm-preparation.md index 6e0861c60..468138b53 100644 --- a/docs/malcolm-preparation.md +++ b/docs/malcolm-preparation.md @@ -3,7 +3,7 @@ * [Configuration](#Configuration) - [Recommended system requirements](system-requirements.md#SystemRequirements) - [Malcolm Configuration](malcolm-config.md#ConfigAndTuning) - + [`docker-compose.yml` parameters](malcolm-config.md#DockerComposeYml) + + [Environment Variable Files](malcolm-config.md#MalcolmConfigEnvVars) - [Configure authentication](authsetup.md#AuthSetup) + [Local account management](authsetup.md#AuthBasicAccountManagement) + [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP) diff --git a/docs/malcolm-upgrade.md b/docs/malcolm-upgrade.md index 9e81b79b2..8fc5ea6a0 100644 --- a/docs/malcolm-upgrade.md +++ b/docs/malcolm-upgrade.md @@ -23,7 +23,7 @@ If you checked out a working copy of the Malcolm repository from GitHub with a ` 5. apply saved configuration change stashed earlier * `git stash pop` 6. if you see `Merge conflict` messages, resolve the [conflicts](https://git-scm.com/book/en/v2/Git-Branching-Basic-Branching-and-Merging#_basic_merge_conflicts) with your favorite text editor -7. you may wish to re-run `install.py --configure` as described in [System configuration and tuning](malcolm-config.md#ConfigAndTuning) in case there are any new `docker-compose.yml` parameters for Malcolm that need to be set up +7. you may wish to re-run `./scripts/configure` as described in [Malcolm Configuration](malcolm-config.md#ConfigAndTuning) in case there are any new configuration parameters for Malcolm that need to be set up 8. start Malcolm * `./scripts/start` 9. you may be prompted to [configure authentication](authsetup.md#AuthSetup) if there are new authentication-related files that need to be generated @@ -39,14 +39,14 @@ If you installed Malcolm from [pre-packaged installation files]({{ site.github.r * `tar xf malcolm_YYYYMMDD_HHNNSS_xxxxxxx.tar.gz` 3. backup current Malcolm scripts, configuration files and certificates * `mkdir -p ./upgrade_backup_$(date +%Y-%m-%d)` - * `cp -r filebeat/ htadmin/ logstash/ nginx/ auth.env docker-compose.yml net-map.json ./scripts ./README.md ./upgrade_backup_$(date +%Y-%m-%d)/` + * `cp -r filebeat/ htadmin/ logstash/ nginx/ config/ docker-compose.yml ./scripts ./README.md ./upgrade_backup_$(date +%Y-%m-%d)/` 3. replace scripts and local documentation in your existing installation with the new ones * `rm -rf ./scripts ./README.md` * `cp -r ./malcolm_YYYYMMDD_HHNNSS_xxxxxxx/scripts ./malcolm_YYYYMMDD_HHNNSS_xxxxxxx/README.md ./` 4. replace (overwrite) `docker-compose.yml` file with new version * `cp ./malcolm_YYYYMMDD_HHNNSS_xxxxxxx/docker-compose.yml ./docker-compose.yml` -5. re-run `./scripts/install.py --configure` as described in [System configuration and tuning](malcolm-config.md#ConfigAndTuning) -6. using a file comparison tool (e.g., `diff`, `meld`, `Beyond Compare`, etc.), compare `docker-compose.yml` and the `docker-compare.yml` file you backed up in step 3, and manually migrate over any customizations you wish to preserve from that file (e.g., `PCAP_FILTER`, `MAXMIND_GEOIP_DB_LICENSE_KEY`, `MANAGE_PCAP_FILES`; [anything else](malcolm-config.md#DockerComposeYml) you may have edited by hand in `docker-compose.yml` that's not prompted for in `install.py --configure`) +5. re-run `./scripts/configure` as described in [Malcolm Configuration](malcolm-config.md#ConfigAndTuning) +6. using a file comparison tool (e.g., `diff`, `meld`, `Beyond Compare`, etc.), compare `docker-compose.yml` and the `docker-compare.yml` file you backed up in step 3, and manually migrate over any customizations you wish to preserve from that file (e.g., `PCAP_FILTER`, `MAXMIND_GEOIP_DB_LICENSE_KEY`, `MANAGE_PCAP_FILES`; [anything else](malcolm-config.md#MalcolmConfigEnvVars) you may have edited by hand in `docker-compose.yml` that's not prompted for in `configure`) 7. pull the new docker images (this will take a while) * `docker-compose pull` to pull them from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) or `docker-compose load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.gz` if you have an offline tarball of the Malcolm docker images 8. start Malcolm diff --git a/docs/opensearch-instances.md b/docs/opensearch-instances.md index 57427db2a..b68633051 100644 --- a/docs/opensearch-instances.md +++ b/docs/opensearch-instances.md @@ -7,7 +7,7 @@ Malcolm's default standalone configuration is to use a local [OpenSearch](https: As the permutations of OpenSearch cluster configurations are numerous, it is beyond Malcolm's scope to set up multi-node clusters. However, Malcolm can be configured to use a remote OpenSearch cluster rather than its own internal instance. -The `OPENSEARCH_…` [environment variables in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) control whether Malcolm uses its own local OpenSearch instance or a remote OpenSearch instance as its primary data store. The configuration portion of Malcolm install script ([`./scripts/install.py --configure`](malcolm-config.md#ConfigAndTuning)) can help you configure these options. +The `OPENSEARCH_…` [environment variables in `opensearch.env`](malcolm-config.md#MalcolmConfigEnvVars) control whether Malcolm uses its own local OpenSearch instance or a remote OpenSearch instance as its primary data store. The configuration portion of Malcolm install script ([`./scripts/configure`](malcolm-config.md#ConfigAndTuning)) can help you configure these options. For example, to use the default standalone configuration, answer `Y` when prompted `Should Malcolm use and maintain its own OpenSearch instance?`. @@ -25,7 +25,7 @@ You must run auth_setup after install.py to store OpenSearch connection credenti … ``` -Whether the primary OpenSearch instance is a locally maintained single-node instance or is a remote cluster, Malcolm can be configured additionally forward logs to a secondary remote OpenSearch instance. The `OPENSEARCH_SECONDARY_…` [environment variables in `docker-compose.yml`](malcolm-config.md#DockerComposeYml) control this behavior. Configuration of a remote secondary OpenSearch instance is similar to that of a remote primary OpenSearch instance: +Whether the primary OpenSearch instance is a locally maintained single-node instance or is a remote cluster, Malcolm can be configured additionally forward logs to a secondary remote OpenSearch instance. The `OPENSEARCH_SECONDARY_…` [environment variables in `opensearch.env`](malcolm-config.md#MalcolmConfigEnvVars) control this behavior. Configuration of a remote secondary OpenSearch instance is similar to that of a remote primary OpenSearch instance: ``` @@ -42,7 +42,7 @@ You must run auth_setup after install.py to store OpenSearch connection credenti ## Authentication and authorization for remote OpenSearch clusters -In addition to setting the environment variables in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) as described above, you must provide Malcolm with credentials for it to be able to communicate with remote OpenSearch instances. These credentials are stored in the Malcolm installation directory as `.opensearch.primary.curlrc` and `.opensearch.secondary.curlrc` for the primary and secondary OpenSearch connections, respectively, and are bind mounted into the Docker containers which need to communicate with OpenSearch. These [cURL-formatted](https://everything.curl.dev/cmdline/configfile) config files can be generated for you by the [`auth_setup`](authsetup.md#AuthSetup) script as illustrated: +In addition to setting the environment variables in [`opensearch.env`](malcolm-config.md#MalcolmConfigEnvVars) as described above, you must provide Malcolm with credentials for it to be able to communicate with remote OpenSearch instances. These credentials are stored in the Malcolm installation directory as `.opensearch.primary.curlrc` and `.opensearch.secondary.curlrc` for the primary and secondary OpenSearch connections, respectively, and are bind mounted into the Docker containers which need to communicate with OpenSearch. These [cURL-formatted](https://everything.curl.dev/cmdline/configfile) config files can be generated for you by the [`auth_setup`](authsetup.md#AuthSetup) script as illustrated: ``` $ ./scripts/auth_setup @@ -55,7 +55,7 @@ OpenSearch username: servicedb servicedb password: servicedb password (again): -Additional local accounts can be created at https://localhost:488/ when Malcolm is running +Additional local accounts can be created at https://localhost/auth/ when Malcolm is running Require SSL certificate validation for OpenSearch communication? (Y/n): n diff --git a/docs/quickstart.md b/docs/quickstart.md index 55416e359..40e5d49dd 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -6,9 +6,9 @@ ## Getting Malcolm -For a `TL;DR` example of downloading, configuring, and running Malcolm on a Linux platform, see [Installation example using Ubuntu 22.04 LTS](ubuntu-install-example.md#InstallationExample). +For a `TL;DR` example of downloading, configuring, and running Malcolm in Docker on a Linux platform, see **[Installation example using Ubuntu 22.04 LTS](ubuntu-install-example.md#InstallationExample)**. -The scripts to control Malcolm require Python 3. The [`install.py`](malcolm-config.md#ConfigAndTuning) script requires the [requests](https://docs.python-requests.org/en/latest/) module for Python 3, and will make use of the [pythondialog](https://pythondialog.sourceforge.io/) module for user interaction (on Linux) if it is available. +For a more in-depth guide convering installing both Malcolm and a [Hedgehog Linux](hedgehog.md) sensor using the [Malcolm installer ISO](malcolm-iso.md#ISO) and [Hedgehog Linux installer ISO](hedgehog-installation.md#HedgehogInstallation), see **[End-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#InstallationExample)**. ### Source code @@ -20,7 +20,9 @@ The `build.sh` script can build Malcolm's Docker images from scratch. See [Build ### Initial configuration -You must run [`auth_setup`](authsetup.md#AuthSetup) prior to pulling Malcolm's Docker images. You should also ensure your system configuration and `docker-compose.yml` settings are tuned by running `./scripts/install.py` or `./scripts/install.py --configure` (see [System configuration and tuning](malcolm-config.md#ConfigAndTuning)). +The scripts to control Malcolm require Python 3. The [`install.py`](malcolm-config.md#ConfigAndTuning) script requires the [dotenv](https://github.com/theskumar/python-dotenv), [requests](https://docs.python-requests.org/en/latest/) and [PyYAML](https://pyyaml.org/) modules for Python 3, and will make use of the [pythondialog](https://pythondialog.sourceforge.io/) module for user interaction (on Linux) if it is available. + +You must run [`auth_setup`](authsetup.md#AuthSetup) prior to pulling Malcolm's Docker images. You should also ensure your system configuration and Malcolm settings are tuned by running `./scripts/install.py` and `./scripts/configure` (see [Malcolm Configuration](malcolm-config.md#ConfigAndTuning)). ### Pull Malcolm's Docker images @@ -36,7 +38,6 @@ Pulling filebeat ... done Pulling freq ... done Pulling htadmin ... done Pulling logstash ... done -Pulling name-map-ui ... done Pulling netbox ... done Pulling netbox-postgresql ... done Pulling netbox-redis ... done @@ -53,26 +54,25 @@ You can then observe that the images have been retrieved by running `docker imag ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 23.04.0 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 23.04.0 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 23.04.0 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 23.04.0 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 23.04.0 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 23.04.0 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 23.04.0 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 23.04.0 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 23.04.0 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 23.04.0 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/name-map-ui 23.04.0 xxxxxxxxxxxx 3 days ago 143MB -ghcr.io/idaholab/malcolm/netbox 23.04.0 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 23.04.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 23.04.0 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 23.04.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 23.04.0 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 23.04.0 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 23.04.0 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 23.04.0 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 23.04.0 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 23.05.0 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 23.05.0 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 23.05.0 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 23.05.0 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 23.05.0 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 23.05.0 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 23.05.0 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 23.05.0 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 23.05.0 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 23.05.0 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 23.05.0 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 23.05.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 23.05.0 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 23.05.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 23.05.0 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 23.05.0 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 23.05.0 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 23.05.0 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 23.05.0 xxxxxxxxxxxx 3 days ago 1GB ``` ### Import from pre-packaged tarballs @@ -92,6 +92,5 @@ A few minutes after starting Malcolm (probably 5 to 10 minutes for Logstash to b * [OpenSearch Dashboards](https://opensearch.org/docs/latest/dashboards/index/): [https://localhost/dashboards/](https://localhost/dashboards/) or [https://localhost:5601](https://localhost:5601) * [Capture File and Log Archive Upload (Web)](upload.md#Upload): [https://localhost/upload/](https://localhost/upload/) * [Capture File and Log Archive Upload (SFTP)](upload.md#Upload): `sftp://@127.0.0.1:8022/files` -* [Host and Subnet Name Mapping](host-and-subnet-mapping.md#HostAndSubnetNaming) Editor: [https://localhost/name-map-ui/](https://localhost/name-map-ui/) * [NetBox](asset-interaction-analysis.md#AssetInteractionAnalysis): [https://localhost/netbox/](https://localhost/netbox/) -* [Account Management](authsetup.md#AuthBasicAccountManagement): [https://localhost:488](https://localhost:488) \ No newline at end of file +* [Account Management](authsetup.md#AuthBasicAccountManagement): [https://localhost/auth/](https://localhost/auth/) \ No newline at end of file diff --git a/docs/running.md b/docs/running.md index 72dd39bbf..3f02502be 100644 --- a/docs/running.md +++ b/docs/running.md @@ -24,7 +24,7 @@ You can also use `docker stats` to monitor the resource utilization of running c You can run `./scripts/stop` to stop the docker containers and remove their virtual network. Alternatively, `./scripts/restart` will restart an instance of Malcolm. Because the data on disk is stored on the host in docker volumes, doing these operations will not result in loss of data. -Malcolm can be configured to be automatically restarted when the Docker system daemon restart (for example, on system reboot). This behavior depends on the [value](https://docs.docker.com/config/containers/start-containers-automatically/) of the [`restart:`](https://docs.docker.com/compose/compose-file/#restart) setting for each service in the `docker-compose.yml` file. This value can be set by running [`./scripts/install.py --configure`](malcolm-config.md#ConfigAndTuning) and answering "yes" to "`Restart Malcolm upon system or Docker daemon restart?`." +Malcolm can be configured to be automatically restarted when the Docker system daemon restart (for example, on system reboot). This behavior depends on the [value](https://docs.docker.com/config/containers/start-containers-automatically/) of the [`restart:`](https://docs.docker.com/compose/compose-file/#restart) setting for each service in the `docker-compose.yml` file. This value can be set by running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning) and answering "yes" to "`Restart Malcolm upon system or Docker daemon restart?`." ## Clearing Malcolm's data diff --git a/docs/severity.md b/docs/severity.md index c48951d78..88f3b230d 100644 --- a/docs/severity.md +++ b/docs/severity.md @@ -5,12 +5,12 @@ As Zeek logs are parsed and enriched prior to indexing, a severity score up to `100` (a higher score indicating a more severe event) can be assigned when one or more of the following conditions are met: -* cross-segment network traffic (if [network subnets were defined](host-and-subnet-mapping.md#HostAndSubnetNaming)) +* cross-segment network traffic (if [network subnets were defined](asset-interaction-analysis.md#AssetInteractionAnalysis)) * connection origination and destination (e.g., inbound, outbound, external, internal) * traffic to or from sensitive countries - - The comma-separated list of countries (by [ISO 3166-1 alpha-2 code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) can be customized by setting the `SENSITIVE_COUNTRY_CODES` environment variable in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml). + - The comma-separated list of countries (by [ISO 3166-1 alpha-2 code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) can be customized by setting the `SENSITIVE_COUNTRY_CODES` environment variable in [`lookup-common.env`](malcolm-config.md#MalcolmConfigEnvVars). * domain names (from DNS queries and SSL server names) with high entropy as calculated by [freq](https://github.com/MarkBaggett/freq) - - The entropy threshold for this condition to trigger can be adjusted by setting the `FREQ_SEVERITY_THRESHOLD` environment variable in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml). A lower value will only assign severity scores to fewer domain names with higher entropy (e.g., `2.0` for `NQZHTFHRMYMTVBQJE.COM`), while a higher value will assign severity scores to more domain names with lower entropy (e.g., `7.5` for `naturallanguagedomain.example.org`). + - The entropy threshold for this condition to trigger can be adjusted by setting the `FREQ_SEVERITY_THRESHOLD` environment variable in [`lookup-common.env`](malcolm-config.md#MalcolmConfigEnvVars). A lower value will only assign severity scores to fewer domain names with higher entropy (e.g., `2.0` for `NQZHTFHRMYMTVBQJE.COM`), while a higher value will assign severity scores to more domain names with lower entropy (e.g., `7.5` for `naturallanguagedomain.example.org`). * file transfers (categorized by mime type) * `notice.log`, [`intel.log`](zeek-intel.md#ZeekIntel) and `weird.log` entries, including those generated by Zeek plugins detecting vulnerabilities (see the list of Zeek plugins under [Components](components.md#Components)) * detection of cleartext passwords @@ -20,9 +20,9 @@ As Zeek logs are parsed and enriched prior to indexing, a severity score up to ` * common network services communicating over non-standard ports * file scanning engine hits on [extracted files](file-scanning.md#ZeekFileExtraction) * large connection or file transfer - - The size (in megabytes) threshold for this condition to trigger can be adjusted by setting the `TOTAL_MEGABYTES_SEVERITY_THRESHOLD` environment variable in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml). + - The size (in megabytes) threshold for this condition to trigger can be adjusted by setting the `TOTAL_MEGABYTES_SEVERITY_THRESHOLD` environment variable in [`lookup-common.env`](malcolm-config.md#MalcolmConfigEnvVars). * long connection duration - - The duration (in seconds) threshold for this condition to trigger can be adjusted by setting the `CONNECTION_SECONDS_SEVERITY_THRESHOLD` environment variable in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml). + - The duration (in seconds) threshold for this condition to trigger can be adjusted by setting the `CONNECTION_SECONDS_SEVERITY_THRESHOLD` environment variable in [`lookup-common.env`](malcolm-config.md#MalcolmConfigEnvVars). As this [feature]({{ site.github.repository_url }}/issues/19) is improved it's expected that additional categories will be identified and implemented for severity scoring. @@ -42,6 +42,6 @@ These categories' severity scores can be customized by editing `logstash/maps/ma "PROTOCOL_SSH": 40 ``` -Restart Logstash after modifying `malcolm_severity.yaml` for the changes to take effect. The [hostname and CIDR subnet names interface](host-and-subnet-mapping.md#NameMapUI) provides a convenient button for restarting Logstash. +Restart Logstash after modifying `malcolm_severity.yaml` for the changes to take effect. -Severity scoring can be disabled globally by setting the `LOGSTASH_SEVERITY_SCORING` environment variable to `false` in the [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) file and [restarting Malcolm](running.md#StopAndRestart). \ No newline at end of file +Severity scoring can be disabled globally by setting the `LOGSTASH_SEVERITY_SCORING` environment variable to `false` in the [`logstash.env`](malcolm-config.md#MalcolmConfigEnvVars) file and [restarting Malcolm](running.md#StopAndRestart). \ No newline at end of file diff --git a/docs/third-party-logs.md b/docs/third-party-logs.md index 54090ff6b..a3fb8aaff 100644 --- a/docs/third-party-logs.md +++ b/docs/third-party-logs.md @@ -26,7 +26,7 @@ The types of third-party logs and metrics discussed in this document are *not* t ## Configuring Malcolm -The environment variables in [`docker-compose.yml`](malcolm-config.md#DockerComposeYml) for configuring how Malcolm accepts external logs are prefixed with `FILEBEAT_TCP_…`. These values can be specified during Malcolm configuration (i.e., when running [`./scripts/install.py --configure`](malcolm-config.md#ConfigAndTuning)), as can be seen from the following excerpt from the [Installation example](ubuntu-install-example.md#InstallationExample): +The environment variables in [`filebeat.env`](malcolm-config.md#MalcolmConfigEnvVars) for configuring how Malcolm accepts external logs are prefixed with `FILEBEAT_TCP_…`. These values can be specified during Malcolm configuration (i.e., when running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning)), as can be seen from the following excerpt from the [Installation example](ubuntu-install-example.md#InstallationExample): ``` … @@ -47,7 +47,7 @@ Tag to apply to messages sent to Filebeat TCP listener (_malcolm_beats): _malcol … ``` -The variables corresponding to these questions can be found in the `filebeat-variables` section of`docker-compose.yml`: +The variables corresponding to these questions can be found in [`filebeat.env`](malcolm-config.md#MalcolmConfigEnvVars): * `FILEBEAT_TCP_LISTEN` - whether or not to expose a [Filebeat TCP input listener](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) to which logs may be sent (the default TCP port is `5045`: you may need to adjust your firewall accordingly) * `FILEBEAT_TCP_LOG_FORMAT` - log format expected for logs sent to the Filebeat TCP input listener (`json` or `raw`) @@ -60,7 +60,7 @@ These variables' values will depend on your forwarder and the format of the data ### Secure communication -In order to maintain the integrity and confidentiality of your data, Malcolm's default (set via the `BEATS_SSL` environment variable in `docker-compose.yml`) is to require connections from external forwarders to be encrypted using TLS. When [`./scripts/auth_setup`](authsetup.md#AuthSetup) is run, self-signed certificates are generated which may be used by remote log forwarders. Located in the `filebeat/certs/` directory, the certificate authority and client certificate and key files should be copied to the host on which your forwarder is running and used when defining its settings for connecting to Malcolm. +In order to maintain the integrity and confidentiality of your data, Malcolm's default (set via the `BEATS_SSL` environment variable in [`beats-common.env`](malcolm-config.md#MalcolmConfigEnvVars)) is to require connections from external forwarders to be encrypted using TLS. When [`./scripts/auth_setup`](authsetup.md#AuthSetup) is run, self-signed certificates are generated which may be used by remote log forwarders. Located in the `filebeat/certs/` directory, the certificate authority and client certificate and key files should be copied to the host on which your forwarder is running and used when defining its settings for connecting to Malcolm. ## Fluent Bit @@ -276,7 +276,7 @@ Running fluentbit_winev... fluentbit_winevtlog Elastic [Beats](https://www.elastic.co/beats/) can also be used to forward data to Malcolm's Filebeat TCP listener. Follow the [Get started with Beats](https://www.elastic.co/guide/en/beats/libbeat/current/getting-started.html) documentation for configuring Beats on your system. -In contrast to Fluent Bit, Beats forwarders write to Malcolm's Logstash input over TCP port 5044 (rather than its Filebeat TCP input). Answer `Y` when prompted `Expose Logstash port to external hosts?` during Malcolm configuration (i.e., when running [`./scripts/install.py --configure`](malcolm-config.md#ConfigAndTuning)) to allow external remote Beats forwarders to send logs to Logstash. +In contrast to Fluent Bit, Beats forwarders write to Malcolm's Logstash input over TCP port 5044 (rather than its Filebeat TCP input). Answer `Y` when prompted `Expose Logstash port to external hosts?` during Malcolm configuration (i.e., when running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning)) to allow external remote Beats forwarders to send logs to Logstash. Your Beat's [configuration YML file](https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format.html) file might look something like this sample [filebeat.yml](https://www.elastic.co/guide/en/beats/filebeat/current/configuring-howto-filebeat.html) file: diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index 051aacf61..0e4e8c315 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -2,15 +2,17 @@ Here's a step-by-step example of getting [Malcolm from GitHub]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}), configuring your system and your Malcolm instance, and running it on a system running Ubuntu Linux. Your mileage may vary depending on your individual system configuration, but this should be a good starting point. +For a more in-depth guide convering installing both Malcolm and a [Hedgehog Linux](hedgehog.md) sensor using the [Malcolm installer ISO](malcolm-iso.md#ISO) and [Hedgehog Linux installer ISO](hedgehog-installation.md#HedgehogInstallation), see **[End-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#InstallationExample)**. + The commands in this example should be executed as a non-root user. You can use `git` to clone Malcolm into a local working copy, or you can download and extract the artifacts from the [latest release]({{ site.github.repository_url }}/releases). -To install Malcolm from the latest Malcolm release, browse to the [Malcolm releases page on GitHub]({{ site.github.repository_url }}/releases) and download at a minimum `install.py` and the `malcolm_YYYYMMDD_HHNNSS_xxxxxxx.tar.gz` file, then navigate to your downloads directory: +To install Malcolm from the latest Malcolm release, browse to the [Malcolm releases page on GitHub]({{ site.github.repository_url }}/releases) and download at a minimum the files ending in `.py` and the `malcolm_YYYYMMDD_HHNNSS_xxxxxxx.tar.gz` file, then navigate to your downloads directory: ``` user@host:~$ cd Downloads/ user@host:~/Downloads$ ls -malcolm_common.py install.py malcolm_20190611_095410_ce2d8de.tar.gz +malcolm_common.py malcolm_kubernetes.py malcolm_utils.py install.py malcolm_20190611_095410_ce2d8de.tar.gz ``` If you are obtaining Malcolm using `git` instead, run the following command to clone Malcolm into a local working copy: @@ -81,12 +83,12 @@ vm.dirty_ratio= appears to be missing from /etc/sysctl.conf, append it? (Y/n): y /etc/security/limits.d/limits.conf does not exist, create it? (Y/n): y ``` -If you are configuring Malcolm from within a git working copy, `install.py` will now exit. Run `install.py` again like you did at the beginning of the example, only remove the `sudo` and add `--configure` to run `install.py` in "configuration only" mode. +If you are configuring Malcolm from within a git working copy, `install.py` will now exit. Run `./scripts/configure` to continue with configuration: ``` -user@host:~/Malcolm$ ./scripts/install.py --configure +user@host:~/Malcolm$ ./scripts/configure ``` -Alternately, if you are configuring Malcolm from the release tarball you will be asked if you would like to extract the contents of the tarball and to specify the installation directory and `install.py` will continue: +Alternately, if you are configuring Malcolm from the release tarball you will be asked if you would like to extract the contents of the tarball and to specify the installation directory and Malcolm configuration will continue: ``` Extract Malcolm runtime files from /home/user/Downloads/malcolm_20190611_095410_ce2d8de.tar.gz (Y/n): y @@ -100,6 +102,8 @@ Malcolm processes will run as UID 1000 and GID 1000. Is this OK? (Y/n): y Should Malcolm use and maintain its own OpenSearch instance? (Y/n): y +Compress OpenSearch index snapshots? (y/N): n + Forward Logstash logs to a secondary remote OpenSearch instance? (y/N): n Setting 10g for OpenSearch and 3g for Logstash. Is this OK? (Y/n): y @@ -119,20 +123,25 @@ Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)? (y/ Specify external Docker network name (or leave blank for default networking) (): -Authenticate against Lightweight Directory Access Protocol (LDAP) server? (y/N): n +1: Basic +2: Lightweight Directory Access Protocol (LDAP) +3: None +Select authentication method (Basic): 1 Store PCAP, log and index files locally under /home/user/Malcolm? (Y/n): y -Compress OpenSearch index snapshots? (y/N): n - Delete the oldest indices when the database exceeds a certain size? (y/N): n +Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y/N): y + Automatically analyze all PCAP files with Suricata? (Y/n): y Download updated Suricata signatures periodically? (y/N): y Automatically analyze all PCAP files with Zeek? (Y/n): y +Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek? (y/N): n + Perform reverse DNS lookup locally for source and destination IP addresses in logs? (y/N): n Perform hardware vendor OUI lookups for MAC addresses? (Y/n): y @@ -144,17 +153,8 @@ Expose OpenSearch port to external hosts? (y/N): n Expose Logstash port to external hosts? (y/N): n Expose Filebeat TCP port to external hosts? (y/N): y -1: json -2: raw -Select log format for messages sent to Filebeat TCP listener (json): 1 -Source field to parse for messages sent to Filebeat TCP listener (message): message - -Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener (miscbeat): miscbeat - -Field to drop from events sent to Filebeat TCP listener (message): message - -Tag to apply to messages sent to Filebeat TCP listener (_malcolm_beats): _malcolm_beats +Use default field values for Filebeat TCP listener? (Y/n): y Expose SFTP server (for PCAP upload) to external hosts? (y/N): n @@ -190,16 +190,10 @@ Should Malcolm capture live network traffic to PCAP files for analysis with Arki Capture packets using netsniff-ng? (Y/n): y -Capture packets using tcpdump? (y/N): n - -Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y/N): y - Should Malcolm analyze live network traffic with Suricata? (y/N): y Should Malcolm analyze live network traffic with Zeek? (y/N): y -Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek? (y/N): n - Specify capture interface(s) (comma-separated): eth0 Capture filter (tcpdump-like filter expression; leave blank to capture all traffic) (): not port 5044 and not port 8005 and not port 9200 @@ -224,7 +218,7 @@ Administrator username: analyst analyst password: analyst password (again): -Additional local accounts can be created at https://localhost:488/ when Malcolm is running +Additional local accounts can be created at https://localhost/auth/ when Malcolm is running (Re)generate self-signed certificates for HTTPS access (Y/n): y @@ -249,7 +243,6 @@ Pulling filebeat ... done Pulling freq ... done Pulling htadmin ... done Pulling logstash ... done -Pulling name-map-ui ... done Pulling netbox ... done Pulling netbox-postgresql ... done Pulling netbox-redis ... done @@ -263,26 +256,25 @@ Pulling zeek ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 23.04.0 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 23.04.0 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 23.04.0 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 23.04.0 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 23.04.0 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 23.04.0 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 23.04.0 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 23.04.0 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 23.04.0 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 23.04.0 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/name-map-ui 23.04.0 xxxxxxxxxxxx 3 days ago 143MB -ghcr.io/idaholab/malcolm/netbox 23.04.0 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 23.04.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 23.04.0 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 23.04.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 23.04.0 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 23.04.0 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 23.04.0 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 23.04.0 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 23.04.0 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 23.05.0 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 23.05.0 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 23.05.0 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 23.05.0 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 23.05.0 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 23.05.0 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 23.05.0 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 23.05.0 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 23.05.0 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 23.05.0 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 23.05.0 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 23.05.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 23.05.0 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 23.05.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 23.05.0 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 23.05.0 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 23.05.0 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 23.05.0 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 23.05.0 xxxxxxxxxxxx 3 days ago 1GB ``` Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background. @@ -294,9 +286,8 @@ In a few minutes, Malcolm services will be accessible via the following URLs: - OpenSearch Dashboards: https://localhost/dashboards/ - PCAP upload (web): https://localhost/upload/ - PCAP upload (sftp): sftp://username@127.0.0.1:8022/files/ - - Host and subnet name mapping editor: https://localhost/name-map-ui/ - NetBox: https://localhost/netbox/ - - Account management: https://localhost:488/ + - Account management: https://localhost/auth/ - Documentation: https://localhost/readme/ NAME COMMAND SERVICE STATUS PORTS @@ -309,7 +300,6 @@ malcolm-filebeat-1 "/usr/local/bin/dock…" filebeat r malcolm-freq-1 "/usr/local/bin/dock…" freq running (starting) … malcolm-htadmin-1 "/usr/local/bin/dock…" htadmin running (starting) … malcolm-logstash-1 "/usr/local/bin/dock…" logstash running (starting) … -malcolm-name-map-ui-1 "/usr/local/bin/dock…" name-map-ui running (starting) … malcolm-netbox-1 "/usr/bin/tini -- /u…" netbox running (starting) … malcolm-netbox-postgres-1 "/usr/bin/docker-uid…" netbox-postgres running (starting) … malcolm-netbox-redis-1 "/sbin/tini -- /usr/…" netbox-redis running (starting) … diff --git a/docs/upload.md b/docs/upload.md index a0a4e5fe1..c48ee3938 100644 --- a/docs/upload.md +++ b/docs/upload.md @@ -21,10 +21,10 @@ Files uploaded via these methods are monitored and moved automatically to other ## Tagging -In addition to be processed for uploading, Malcolm events will be tagged according to the components of the filenames of the PCAP files or Zeek log archives files from which the events were parsed. For example, records created from a PCAP file named `ACME_Scada_VLAN10.pcap` would be tagged with `ACME`, `Scada`, and `VLAN10`. Tags are extracted from filenames by splitting on the characters `,` (comma), `-` (dash), and `_` (underscore). These tags are viewable and searchable (via the `tags` field) in Arkime and OpenSearch Dashboards. This behavior can be changed by modifying the `AUTO_TAG` [environment variable in `docker-compose.yml`](malcolm-config.md#DockerComposeYml). +In addition to be processed for uploading, Malcolm events will be tagged according to the components of the filenames of the PCAP files or Zeek log archives files from which the events were parsed. For example, records created from a PCAP file named `ACME_Scada_VLAN10.pcap` would be tagged with `ACME`, `Scada`, and `VLAN10`. Tags are extracted from filenames by splitting on the characters `,` (comma), `-` (dash), and `_` (underscore). These tags are viewable and searchable (via the `tags` field) in Arkime and OpenSearch Dashboards. This behavior can be changed by modifying the `AUTO_TAG` [environment variable in `upload-common.env`](malcolm-config.md#MalcolmConfigEnvVars). Tags may also be specified manually with the [browser-based upload form](#Upload). ## Processing uploaded PCAPs with Zeek and Suricata -The **Analyze with Zeek** and **Analyze with Suricata** checkboxes may be used when uploading PCAP files to cause them to be analyzed by Zeek and Suricata, respectively. This is functionally equivalent to the `ZEEK_AUTO_ANALYZE_PCAP_FILES` and `SURICATA_AUTO_ANALYZE_PCAP_FILES` environment variables [described above](malcolm-config.md#DockerComposeYml), only on a per-upload basis. Zeek can also automatically carve out files from file transfers; see [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction) for more details. +The **Analyze with Zeek** and **Analyze with Suricata** checkboxes may be used when uploading PCAP files to cause them to be analyzed by Zeek and Suricata, respectively. This is functionally equivalent to the `ZEEK_AUTO_ANALYZE_PCAP_FILES` and `SURICATA_AUTO_ANALYZE_PCAP_FILES` environment variables [described above](malcolm-config.md#MalcolmConfigEnvVars), only on a per-upload basis. Zeek can also automatically carve out files from file transfers; see [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction) for more details. diff --git a/file-monitor/supervisord.conf b/file-monitor/supervisord.conf index 917044d55..c61eb90c7 100644 --- a/file-monitor/supervisord.conf +++ b/file-monitor/supervisord.conf @@ -17,11 +17,11 @@ supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface serverurl=unix:///tmp/supervisor.sock [program:watcher] -command=/usr/local/bin/zeek_carve_watcher.py - --verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG)s - --extra-verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA)s +command=/usr/local/bin/zeek_carve_watcher.py %(ENV_EXTRACTED_FILE_PIPELINE_VERBOSITY)s --start-sleep %(ENV_EXTRACTED_FILE_WATCHER_START_SLEEP)s --ignore-existing %(ENV_EXTRACTED_FILE_IGNORE_EXISTING)s + --polling "%(ENV_EXTRACTED_FILE_WATCHER_POLLING)s" + --closed-sec %(ENV_EXTRACTED_FILE_WATCHER_POLLING_ASSUME_CLOSED_SEC)s --min-bytes %(ENV_EXTRACTED_FILE_MIN_BYTES)s --max-bytes %(ENV_EXTRACTED_FILE_MAX_BYTES)s --directory "%(ENV_ZEEK_EXTRACTOR_PATH)s" @@ -39,9 +39,7 @@ redirect_stderr=true programs=virustotal,clamav,yara,capa [program:virustotal] -command=/usr/local/bin/vtot_scan.py - --verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG)s - --extra-verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA)s +command=/usr/local/bin/vtot_scan.py %(ENV_EXTRACTED_FILE_PIPELINE_VERBOSITY)s --start-sleep %(ENV_EXTRACTED_FILE_SCANNER_START_SLEEP)s --vtot-api %(ENV_VTOT_API2_KEY)s --req-limit %(ENV_VTOT_REQUESTS_PER_MINUTE)s @@ -56,9 +54,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:clamav] -command=/usr/local/bin/clam_scan.py - --verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG)s - --extra-verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA)s +command=/usr/local/bin/clam_scan.py %(ENV_EXTRACTED_FILE_PIPELINE_VERBOSITY)s --start-sleep %(ENV_EXTRACTED_FILE_SCANNER_START_SLEEP)s --clamav %(ENV_EXTRACTED_FILE_ENABLE_CLAMAV)s --clamav-socket "%(ENV_CLAMD_SOCKET_FILE)s" @@ -74,9 +70,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:yara] -command=/usr/local/bin/yara_scan.py - --verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG)s - --extra-verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA)s +command=/usr/local/bin/yara_scan.py %(ENV_EXTRACTED_FILE_PIPELINE_VERBOSITY)s --start-sleep %(ENV_EXTRACTED_FILE_SCANNER_START_SLEEP)s --yara %(ENV_EXTRACTED_FILE_ENABLE_YARA)s --yara-custom-only %(ENV_EXTRACTED_FILE_YARA_CUSTOM_ONLY)s @@ -92,9 +86,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:capa] -command=/usr/local/bin/capa_scan.py - --verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG)s - --extra-verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA)s +command=/usr/local/bin/capa_scan.py %(ENV_EXTRACTED_FILE_PIPELINE_VERBOSITY)s --start-sleep %(ENV_EXTRACTED_FILE_SCANNER_START_SLEEP)s --capa %(ENV_EXTRACTED_FILE_ENABLE_CAPA)s --capa-verbose %(ENV_EXTRACTED_FILE_CAPA_VERBOSE)s @@ -110,9 +102,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:logger] -command=/usr/local/bin/zeek_carve_logger.py - --verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG)s - --extra-verbose %(ENV_EXTRACTED_FILE_PIPELINE_DEBUG_EXTRA)s +command=/usr/local/bin/zeek_carve_logger.py %(ENV_EXTRACTED_FILE_PIPELINE_VERBOSITY)s --start-sleep %(ENV_EXTRACTED_FILE_LOGGER_START_SLEEP)s --preserve %(ENV_EXTRACTED_FILE_PRESERVATION)s --directory "%(ENV_ZEEK_EXTRACTOR_PATH)s" diff --git a/file-upload/nginx/sites-available/default b/file-upload/nginx/sites-available/default index 36936f866..68fb276d8 100644 --- a/file-upload/nginx/sites-available/default +++ b/file-upload/nginx/sites-available/default @@ -2,6 +2,7 @@ server { listen 80 default_server; sendfile on; + gzip off; client_max_body_size 50G; client_body_buffer_size 4M; diff --git a/filebeat/scripts/filebeat-clean-zeeklogs-processed-folder.py b/filebeat/scripts/filebeat-clean-zeeklogs-processed-folder.py index 448fc045c..736e7c0e7 100755 --- a/filebeat/scripts/filebeat-clean-zeeklogs-processed-folder.py +++ b/filebeat/scripts/filebeat-clean-zeeklogs-processed-folder.py @@ -43,7 +43,6 @@ def silentRemove(filename): def checkFile(filename, filebeatReg=None, checkLogs=True, checkArchives=True): - try: # first check to see if it's in the filebeat registry if filebeatReg is not None: @@ -70,16 +69,15 @@ def checkFile(filename, filebeatReg=None, checkLogs=True, checkArchives=True): fuserProcess.communicate() fuserExitCode = fuserProcess.wait() if fuserExitCode != 0: - # the file is not in use, let's check it's mtime/ctime logTime = max(os.path.getctime(filename), os.path.getmtime(filename)) lastUseTime = nowTime - logTime # get the file type fileType = magic.from_file(filename, mime=True) - if (checkLogs == True) and (cleanLogSeconds > 0) and (fileType == logMimeType): + if (checkLogs is True) and (cleanLogSeconds > 0) and (fileType == logMimeType): cleanSeconds = cleanLogSeconds - elif (checkArchives == True) and (cleanZipSeconds > 0) and archiveMimeTypeRegex.match(fileType) is not None: + elif (checkArchives is True) and (cleanZipSeconds > 0) and archiveMimeTypeRegex.match(fileType) is not None: cleanSeconds = cleanZipSeconds else: # not a file we're going to be messing with @@ -90,7 +88,7 @@ def checkFile(filename, filebeatReg=None, checkLogs=True, checkArchives=True): print('removing old file "{}" ({}, used {} seconds ago)'.format(filename, fileType, lastUseTime)) silentRemove(filename) - except FileNotFoundError as fnf: + except FileNotFoundError: # file's already gone, oh well pass @@ -99,7 +97,6 @@ def checkFile(filename, filebeatReg=None, checkLogs=True, checkArchives=True): def pruneFiles(): - if (cleanLogSeconds <= 0) and (cleanZipSeconds <= 0): # disabled, don't do anything return @@ -143,7 +140,7 @@ def pruneFiles(): candidateDirs.sort(reverse=True) candidateDirs.sort(key=len, reverse=True) candidateDirsAndTimes = zip(candidateDirs, [os.path.getmtime(dirToRm) for dirToRm in candidateDirs]) - for (dirToRm, dirTime) in candidateDirsAndTimes: + for dirToRm, dirTime in candidateDirsAndTimes: dirAge = nowTime - dirTime if dirAge >= cleanDirSeconds: try: diff --git a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py new file mode 100755 index 000000000..43978a662 --- /dev/null +++ b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py @@ -0,0 +1,242 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. + +################################################################################################### +# Monitor a directory for PCAP files for processing (by publishing their filenames to a ZMQ socket) +# +# Run the script with --help for options +################################################################################################### + +import argparse +import glob +import logging +import magic +import os +import pathlib +import shutil +import signal +import sys +import time + +import malcolm_utils +from malcolm_utils import eprint, str2bool, remove_suffix +import watch_common + +################################################################################################### +scriptName = os.path.basename(__file__) +scriptPath = os.path.dirname(os.path.realpath(__file__)) +origPath = os.getcwd() +shuttingDown = [False] + +SUPPORTED_MIME_TYPES = [ + 'application/gzip', + 'application/x-gzip', + 'application/x-7z-compressed', + 'application/x-bzip2', + 'application/x-cpio', + 'application/x-lzip', + 'application/x-lzma', + 'application/x-rar-compressed', + 'application/x-tar', + 'application/x-xz', + 'application/zip', +] + + +################################################################################################### +# handle sigint/sigterm and set a global shutdown variable +def shutdown_handler(signum, frame): + global shuttingDown + shuttingDown[0] = True + + +################################################################################################### +def file_processor(pathname, **kwargs): + mime_types = kwargs["mime_types"] + uid = kwargs["uid"] + gid = kwargs["gid"] + destination = kwargs["destination"] + logger = kwargs["logger"] if "logger" in kwargs and kwargs["logger"] else logging + + logger.info(f"{scriptName}:\t👓\t{pathname}") + + if os.path.isfile(pathname) and os.path.isdir(destination): + time.sleep(0.1) + try: + os.chown(pathname, uid, gid) + + # get the file magic mime type + fileMime = magic.from_file(pathname, mime=True) + + if fileMime in mime_types: + # looks like this is a compressed file, we're assuming it's a zeek log archive to be processed by filebeat + logger.info(f"{scriptName}:\t🖅\t{pathname} [{fileMime}] to {destination}") + shutil.move(pathname, os.path.join(destination, os.path.basename(pathname))) + + else: + # unhandled file type uploaded, delete it + logger.warning(f"{scriptName}:\t🗑\t{pathname} [{fileMime}]") + os.unlink(pathname) + + except Exception as genericError: + logger.error(f"{scriptName}:\texception: {genericError}") + + +################################################################################################### +# main +def main(): + global shuttingDown + + parser = argparse.ArgumentParser( + description=scriptName, + add_help=False, + usage='{} '.format(scriptName), + ) + parser.add_argument('--verbose', '-v', action='count', default=1, help='Increase verbosity (e.g., -v, -vv, etc.)') + parser.add_argument( + '-r', + '--recursive-directory', + dest='recursiveDir', + help="If specified, monitor all directories with this name underneath --directory", + metavar='', + type=str, + required=False, + ) + parser.add_argument( + '-p', + '--polling', + dest='polling', + help="Use polling (instead of inotify)", + metavar='true|false', + type=str2bool, + nargs='?', + const=True, + default=os.getenv('FILEBEAT_WATCHER_POLLING', False), + required=False, + ) + parser.add_argument( + '-c', + '--closed-sec', + dest='assumeClosedSec', + help="When polling, assume a file is closed after this many seconds of inactivity", + metavar='', + type=int, + default=int( + os.getenv('FILEBEAT_WATCHER_POLLING_ASSUME_CLOSED_SEC', str(watch_common.ASSUME_CLOSED_SEC_DEFAULT)) + ), + required=False, + ) + parser.add_argument( + '-i', + '--in', + dest='srcDir', + help='Source directory to monitor', + metavar='', + type=str, + default=os.path.join(remove_suffix(os.getenv('FILEBEAT_ZEEK_DIR', '/zeek'), '/'), 'upload'), + required=False, + ) + parser.add_argument( + '-o', + '--out', + dest='dstDir', + help='Destination directory', + metavar='', + type=str, + default=remove_suffix(os.getenv('FILEBEAT_ZEEK_DIR', '/zeek'), '/'), + required=False, + ) + parser.add_argument( + '-u', + '--uid', + dest='chownUid', + help='UID to chown files', + metavar='', + type=int, + default=int(os.getenv('PUID', os.getenv('DEFAULT_UID', '1000'))), + required=False, + ) + parser.add_argument( + '-g', + '--gid', + dest='chownGid', + help='UID to chown files', + metavar='', + type=int, + default=int(os.getenv('PGID', os.getenv('DEFAULT_GID', '1000'))), + required=False, + ) + parser.add_argument( + '--start-sleep', + dest='startSleepSec', + help="Sleep for this many seconds before starting", + metavar='', + type=int, + default=0, + required=False, + ) + + try: + parser.error = parser.exit + args = parser.parse_args() + except SystemExit: + parser.print_help() + exit(2) + + args.verbose = logging.ERROR - (10 * args.verbose) if args.verbose > 0 else 0 + logging.basicConfig( + level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S' + ) + logging.info(os.path.join(scriptPath, scriptName)) + logging.info("Arguments: {}".format(sys.argv[1:])) + logging.info("Arguments: {}".format(args)) + if args.verbose > logging.DEBUG: + sys.tracebacklimit = 0 + + # handle sigint and sigterm for graceful shutdown + signal.signal(signal.SIGINT, shutdown_handler) + signal.signal(signal.SIGTERM, shutdown_handler) + + # sleep for a bit if requested + sleepCount = 0 + while (not shuttingDown[0]) and (sleepCount < args.startSleepSec): + time.sleep(1) + sleepCount += 1 + + args.dstDir = remove_suffix(args.dstDir, '/') + args.srcDir = remove_suffix(args.srcDir, '/') + + # if directory to monitor doesn't exist, create it now + if not os.path.isdir(args.srcDir): + logging.info(f'{scriptName}:\tcreating "{args.srcDir}" to monitor') + pathlib.Path(args.srcDir).mkdir(parents=False, exist_ok=True) + + # if recursion was requested, get list of directories to monitor + watchDirs = [] + while len(watchDirs) == 0: + if args.recursiveDir is None: + watchDirs = [args.srcDir] + else: + watchDirs = glob.glob(f'{args.srcDir}/**/{args.recursiveDir}', recursive=True) + + watch_common.WatchAndProcessDirectory( + watchDirs, + args.polling, + file_processor, + { + "logger": logging, + "destination": args.dstDir, + "uid": args.chownUid, + "gid": args.chownGid, + "mime_types": SUPPORTED_MIME_TYPES, + }, + args.assumeClosedSec, + shuttingDown, + logging, + ) + + +if __name__ == '__main__': + main() diff --git a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.sh b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.sh deleted file mode 100755 index 09fc1b484..000000000 --- a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - - -PROCESS_DIR=${FILEBEAT_ZEEK_DIR:-/zeek/} -UPLOAD_DIR="${PROCESS_DIR}/upload" -mkdir -p "$UPLOAD_DIR" - -# as new zeek log archives are closed for writing in /zeek/upload, move them to /zeek for processing -inotifywait -m -e close_write --format '%w%f' "${UPLOAD_DIR}" | while read NEWFILE -do - FILEMIME=$(file -b --mime-type "$NEWFILE") - if ( echo "$FILEMIME" | grep --quiet -P "(application/gzip|application/x-gzip|application/x-7z-compressed|application/x-bzip2|application/x-cpio|application/x-lzip|application/x-lzma|application/x-rar-compressed|application/x-tar|application/x-xz|application/zip)" ); then - # looks like this is a compressed file, we're assuming it's a zeek log archive to be processed by filebeat - sleep 0.1 && chown ${PUID:-${DEFAULT_UID}}:${PGID:-${DEFAULT_GID}} "$NEWFILE" && (>&2 mv -v "$NEWFILE" "$PROCESS_DIR/") - else - # unhandled file type uploaded, delete it - sleep 0.1 && chown ${PUID:-${DEFAULT_UID}}:${PGID:-${DEFAULT_GID}} && (>&2 rm "$NEWFILE") && echo "Removed \"$NEWFILE\", unhandled file type \"$FILEMIME\"" - fi -done - diff --git a/filebeat/supervisord.conf b/filebeat/supervisord.conf index e19cf460a..b81c54ef5 100644 --- a/filebeat/supervisord.conf +++ b/filebeat/supervisord.conf @@ -65,7 +65,14 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:watch-upload] -command=/bin/bash -c "sleep 30 && /usr/local/bin/filebeat-watch-zeeklogs-uploads-folder.sh" +command=python3 /usr/local/bin/filebeat-watch-zeeklogs-uploads-folder.py %(ENV_PCAP_PIPELINE_VERBOSITY)s + --start-sleep 30 + --polling "%(ENV_FILEBEAT_WATCHER_POLLING)s" + --closed-sec %(ENV_FILEBEAT_WATCHER_POLLING_ASSUME_CLOSED_SEC)s + --in "%(ENV_FILEBEAT_ZEEK_DIR)s"/upload + --out "%(ENV_FILEBEAT_ZEEK_DIR)s" + --uid %(ENV_PUID)s + --gid %(ENV_PGID)s user=root startsecs=35 startretries=1 diff --git a/freq-server/supervisord.conf b/freq-server/supervisord.conf index ab6de5e9a..1688ae430 100644 --- a/freq-server/supervisord.conf +++ b/freq-server/supervisord.conf @@ -17,7 +17,9 @@ supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface serverurl=unix:///tmp/supervisor.sock [program:freq] -command=/usr/bin/python3 /opt/freq_server/freq_server.py -ip 0.0.0.0 %(ENV_FREQ_PORT)s /opt/freq_server/freq_table.freq +command=/usr/bin/python3 /opt/freq_server/freq_server.py + -ip 0.0.0.0 %(ENV_FREQ_API_PORT)s + /opt/freq_server/freq_table.freq startsecs=5 startretries=2000000000 stopasgroup=true diff --git a/htadmin/htadmin.sh b/htadmin/htadmin.sh index 8ab93a399..9bbbde6b2 100644 --- a/htadmin/htadmin.sh +++ b/htadmin/htadmin.sh @@ -1,22 +1,22 @@ #!/usr/bin/env bash -HTADMIN_ENABLED=${NGINX_BASIC_AUTH:-"true"} +if [[ "${NGINX_BASIC_AUTH:-true}" == "true" ]]; then + + if [[ ! -f /var/www/htadmin/config/config.ini ]] && [[ -f /var/www/htadmin/default/config.ini ]]; then + cp /var/www/htadmin/default/config.ini /var/www/htadmin/config/config.ini + [[ -n ${PUID} ]] && chown -f ${PUID} /var/www/htadmin/config/config.ini + [[ -n ${PGID} ]] && chown -f :${PGID} /var/www/htadmin/config/config.ini + fi + + if [[ ! -f /var/www/htadmin/config/metadata ]] && [[ -f /var/www/htadmin/default/metadata ]]; then + cp /var/www/htadmin/default/metadata /var/www/htadmin/config/metadata + [[ -n ${PUID} ]] && chown -f ${PUID} /var/www/htadmin/config/metadata + [[ -n ${PGID} ]] && chown -f :${PGID} /var/www/htadmin/config/metadata + fi -if [[ "$HTADMIN_ENABLED" == "true" ]]; then sleep 10 nginx -g "daemon off;" + else - mkdir -p /tmp/htadmin_disabled - pushd /tmp/htadmin_disabled >/dev/null 2>&1 && \ - cat << EOF > index.html - -
Basic Authentication Disabled
- -

Basic HTTP authentication has been disabled.

-

Refer to the Malcolm documentation for details on LDAP authentication.

- - -EOF - python3 -m http.server 80 - popd >/dev/null 2>&1 -fi \ No newline at end of file + /usr/local/bin/service_check_passthrough.sh -d -s htadmin -p 80 -f http +fi diff --git a/htadmin/nginx/sites-available/default b/htadmin/nginx/sites-available/default index 672a85577..7af8821b3 100644 --- a/htadmin/nginx/sites-available/default +++ b/htadmin/nginx/sites-available/default @@ -2,9 +2,10 @@ server { listen 80 default_server; sendfile on; + gzip off; root /var/www/htadmin; - index index.php index.html index.htm; + index htadmin.php index.html index.htm; server_name htaccess.malcolm.local; @@ -18,8 +19,16 @@ server { fastcgi_pass unix:/run/php/php7.4-fpm.sock; } + location /auth { + deny all; + return 404; + } location /config { deny all; return 404; } -} + location /default { + deny all; + return 404; + } +} \ No newline at end of file diff --git a/kubernetes/.gitignore b/kubernetes/.gitignore new file mode 100644 index 000000000..8f3d61bcb --- /dev/null +++ b/kubernetes/.gitignore @@ -0,0 +1,2 @@ +# user-defined volumes can be defined in 01-volumes.yml, patterned after 01-volumes.yml.example +01-volumes.yml diff --git a/kubernetes/00-ingress.yml b/kubernetes/00-ingress.yml new file mode 100644 index 000000000..60d423032 --- /dev/null +++ b/kubernetes/00-ingress.yml @@ -0,0 +1,43 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nginx-ingress + namespace: malcolm + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/backend-protocol: "https" + nginx.ingress.kubernetes.io/preserve-trailing-slash: "false" + nginx.ingress.kubernetes.io/ssl-passthrough: "false" + nginx.ingress.kubernetes.io/client-body-buffer-size: "512k" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "0" + nginx.ingress.kubernetes.io/proxy-buffer-size: "512k" + nginx.ingress.kubernetes.io/proxy-buffering: "off" + nginx.ingress.kubernetes.io/proxy-request-buffering: "off" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + +spec: + rules: + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: nginx-proxy + port: + number: 443 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: tcp-services + namespace: ingress-nginx +data: + 5044: "malcolm/logstash:5044" + 5045: "malcolm/filebeat:5045" + 8022: "malcolm/upload:22" + 9200: "malcolm/nginx-proxy:9200" \ No newline at end of file diff --git a/kubernetes/01-volumes.yml.example b/kubernetes/01-volumes.yml.example new file mode 100644 index 000000000..60555b6da --- /dev/null +++ b/kubernetes/01-volumes.yml.example @@ -0,0 +1,300 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pcap-volume + namespace: malcolm + labels: + namespace: malcolm +spec: + capacity: + storage: 500Gi + volumeMode: Filesystem + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: nfs + mountOptions: + - nfsvers=4.1 + - soft + - noac + - timeo=600 + - retrans=2 + nfs: + path: /malcolm/pcap + server: 192.168.0.100 + readOnly: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pcap-claim + namespace: malcolm +spec: + storageClassName: nfs + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 500Gi + volumeName: pcap-volume + +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: zeek-volume + namespace: malcolm + labels: + namespace: malcolm +spec: + capacity: + storage: 250Gi + volumeMode: Filesystem + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: nfs + mountOptions: + - nfsvers=4.1 + - soft + - noac + - timeo=600 + - retrans=2 + nfs: + path: /malcolm/zeek-logs + server: 192.168.0.100 + readOnly: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: zeek-claim + namespace: malcolm +spec: + storageClassName: nfs + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 250Gi + volumeName: zeek-volume + +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: suricata-volume + namespace: malcolm + labels: + namespace: malcolm +spec: + capacity: + storage: 100Gi + volumeMode: Filesystem + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: nfs + mountOptions: + - nfsvers=4.1 + - soft + - noac + - timeo=600 + - retrans=2 + nfs: + path: /malcolm/suricata-logs + server: 192.168.0.100 + readOnly: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: suricata-claim + namespace: malcolm +spec: + storageClassName: nfs + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 100Gi + volumeName: suricata-volume + +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: config-volume + namespace: malcolm + labels: + namespace: malcolm +spec: + capacity: + storage: 25Gi + volumeMode: Filesystem + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: nfs + mountOptions: + - nfsvers=4.1 + - soft + - noac + - timeo=600 + - retrans=2 + nfs: + path: /malcolm/config + server: 192.168.0.100 + readOnly: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: config-claim + namespace: malcolm +spec: + storageClassName: nfs + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 25Gi + volumeName: config-volume + +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: runtime-logs-volume + namespace: malcolm + labels: + namespace: malcolm +spec: + capacity: + storage: 25Gi + volumeMode: Filesystem + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: nfs + mountOptions: + - nfsvers=4.1 + - soft + - noac + - timeo=600 + - retrans=2 + nfs: + path: /malcolm/runtime-logs + server: 192.168.0.100 + readOnly: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: runtime-logs-claim + namespace: malcolm +spec: + storageClassName: nfs + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 25Gi + volumeName: runtime-logs-volume + +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: opensearch-volume + namespace: malcolm + labels: + namespace: malcolm +spec: + capacity: + storage: 500Gi + volumeMode: Filesystem + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: nfs + mountOptions: + - nfsvers=4.1 + - soft + - noac + - timeo=600 + - retrans=2 + nfs: + path: /malcolm/opensearch + server: 192.168.0.100 + readOnly: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: opensearch-claim + namespace: malcolm +spec: + storageClassName: nfs + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 500Gi + volumeName: opensearch-volume + +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: opensearch-backup-volume + namespace: malcolm + labels: + namespace: malcolm +spec: + capacity: + storage: 500Gi + volumeMode: Filesystem + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: nfs + mountOptions: + - nfsvers=4.1 + - soft + - noac + - timeo=600 + - retrans=2 + nfs: + path: /malcolm/opensearch-backup + server: 192.168.0.100 + readOnly: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: opensearch-backup-claim + namespace: malcolm +spec: + storageClassName: nfs + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 500Gi + volumeName: opensearch-backup-volume diff --git a/kubernetes/02-opensearch.yml b/kubernetes/02-opensearch.yml new file mode 100644 index 000000000..6cf5af14e --- /dev/null +++ b/kubernetes/02-opensearch.yml @@ -0,0 +1,88 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: opensearch + namespace: malcolm +spec: + ports: + - port: 9200 + protocol: TCP + name: opensearch + selector: + name: opensearch-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: opensearch-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: opensearch-deployment + replicas: 1 + template: + metadata: + labels: + name: opensearch-deployment + spec: + containers: + - name: opensearch-container + image: ghcr.io/idaholab/malcolm/opensearch:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + securityContext: + capabilities: + add: + - IPC_LOCK + - SYS_RESOURCE + ports: + - name: opensearch + protocol: TCP + containerPort: 9200 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: opensearch-env + env: + - name: VIRTUAL_HOST + value: "os.malcolm.local" + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: opensearch-var-local-catrust-volume + - mountPath: /var/local/curlrc/secretmap + name: opensearch-opensearch-curlrc-secret-volume + - mountPath: "/usr/share/opensearch/data" + name: opensearch-data-volume + - mountPath: "/opt/opensearch/backup" + name: opensearch-backup-volume + - name: opensearch-keystore-default-secret-volume + mountPath: /usr/share/opensearch/config/bootstrap/secretmap + - name: opensearch-config-persist-volume + mountPath: /usr/share/opensearch/config/persist + subPath: "opensearch" + volumes: + - name: opensearch-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: opensearch-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc + - name: opensearch-data-volume + persistentVolumeClaim: + claimName: opensearch-claim + - name: opensearch-backup-volume + persistentVolumeClaim: + claimName: opensearch-backup-claim + - name: opensearch-keystore-default-secret-volume + secret: + secretName: opensearch-keystore + - name: opensearch-config-persist-volume + persistentVolumeClaim: + claimName: config-claim \ No newline at end of file diff --git a/kubernetes/03-dashboards.yml b/kubernetes/03-dashboards.yml new file mode 100644 index 000000000..8db23880b --- /dev/null +++ b/kubernetes/03-dashboards.yml @@ -0,0 +1,72 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: dashboards + namespace: malcolm +spec: + ports: + - port: 5601 + protocol: TCP + name: http + selector: + name: dashboards-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dashboards-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: dashboards-deployment + replicas: 1 + template: + metadata: + labels: + name: dashboards-deployment + spec: + containers: + - name: dashboards-container + image: ghcr.io/idaholab/malcolm/dashboards:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: http + protocol: TCP + containerPort: 5601 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: opensearch-env + env: + - name: VIRTUAL_HOST + value: "dashboards.malcolm.local" + livenessProbe: + httpGet: + path: /dashboards/api/status + port: 5601 + scheme: HTTP + initialDelaySeconds: 210 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: dashboards-var-local-catrust-volume + - mountPath: /var/local/curlrc/secretmap + name: dashboards-opensearch-curlrc-secret-volume + volumes: + - name: dashboards-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: dashboards-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc diff --git a/kubernetes/04-upload.yml b/kubernetes/04-upload.yml new file mode 100644 index 000000000..bb978dbd2 --- /dev/null +++ b/kubernetes/04-upload.yml @@ -0,0 +1,82 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: upload + namespace: malcolm +spec: + type: ClusterIP + ports: + - port: 22 + protocol: TCP + name: sftp + - port: 80 + protocol: TCP + name: http + selector: + name: upload-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: upload-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: upload-deployment + replicas: 1 + template: + metadata: + labels: + name: upload-deployment + spec: + containers: + - name: upload-container + image: ghcr.io/idaholab/malcolm/file-upload:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: sftp + protocol: TCP + containerPort: 22 + - name: http + protocol: TCP + containerPort: 80 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - secretRef: + name: auth-env + - configMapRef: + name: upload-env + env: + - name: VIRTUAL_HOST + value: "upload.malcolm.local" + livenessProbe: + httpGet: + path: / + port: 80 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: upload-var-local-catrust-volume + - mountPath: "/var/www/upload/server/php/chroot/files" + name: upload-pcap-volume + subPath: "upload" + volumes: + - name: upload-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: upload-pcap-volume + persistentVolumeClaim: + claimName: pcap-claim diff --git a/kubernetes/05-pcap-monitor.yml b/kubernetes/05-pcap-monitor.yml new file mode 100644 index 000000000..04be6b978 --- /dev/null +++ b/kubernetes/05-pcap-monitor.yml @@ -0,0 +1,83 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: pcap-monitor + namespace: malcolm +spec: + ports: + - port: 30441 + protocol: TCP + name: zmq + selector: + name: pcap-monitor-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pcap-monitor-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: pcap-monitor-deployment + replicas: 1 + template: + metadata: + labels: + name: pcap-monitor-deployment + spec: + containers: + - name: pcap-monitor-container + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: zmq + protocol: TCP + containerPort: 30441 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: opensearch-env + - configMapRef: + name: upload-common-env + livenessProbe: + exec: + command: + - supervisorctl + - status + - watch-upload + - pcap-publisher + initialDelaySeconds: 90 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: pcap-monitor-var-local-catrust-volume + - mountPath: /var/local/curlrc/secretmap + name: pcap-monitor-opensearch-curlrc-secret-volume + - mountPath: "/pcap" + name: pcap-monitor-pcap-volume + - mountPath: "/zeek" + name: pcap-monitor-zeek-volume + volumes: + - name: pcap-monitor-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: pcap-monitor-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc + - name: pcap-monitor-pcap-volume + persistentVolumeClaim: + claimName: pcap-claim + - name: pcap-monitor-zeek-volume + persistentVolumeClaim: + claimName: zeek-claim \ No newline at end of file diff --git a/kubernetes/06-arkime.yml b/kubernetes/06-arkime.yml new file mode 100644 index 000000000..786961836 --- /dev/null +++ b/kubernetes/06-arkime.yml @@ -0,0 +1,96 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: arkime + namespace: malcolm +spec: + ports: + - port: 8005 + protocol: TCP + name: http + selector: + name: arkime-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: arkime-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: arkime-deployment + replicas: 1 + template: + metadata: + labels: + name: arkime-deployment + spec: + containers: + - name: arkime-container + image: ghcr.io/idaholab/malcolm/arkime:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + securityContext: + capabilities: + add: + - IPC_LOCK + - SYS_RESOURCE + ports: + - name: http + protocol: TCP + containerPort: 8005 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: opensearch-env + - secretRef: + name: auth-env + - configMapRef: + name: upload-common-env + - configMapRef: + name: arkime-env + - secretRef: + name: arkime-secret-env + env: + - name: VIRTUAL_HOST + value: "arkime.malcolm.local" + livenessProbe: + httpGet: + path: /_ns_/nstest.html + port: 8005 + scheme: HTTPS + initialDelaySeconds: 210 + periodSeconds: 90 + timeoutSeconds: 30 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: arkime-var-local-catrust-volume + - mountPath: /var/local/curlrc/secretmap + name: arkime-opensearch-curlrc-secret-volume + - mountPath: "/data/pcap" + name: arkime-pcap-volume + - name: arkime-runtime-logs-volume + mountPath: /opt/arkime/logs + subPath: "arkime" + volumes: + - name: arkime-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: arkime-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc + - name: arkime-pcap-volume + persistentVolumeClaim: + claimName: pcap-claim + - name: arkime-runtime-logs-volume + persistentVolumeClaim: + claimName: runtime-logs-claim \ No newline at end of file diff --git a/kubernetes/07-api.yml b/kubernetes/07-api.yml new file mode 100644 index 000000000..d318a8c46 --- /dev/null +++ b/kubernetes/07-api.yml @@ -0,0 +1,74 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: api + namespace: malcolm +spec: + ports: + - port: 5000 + protocol: TCP + name: http + selector: + name: api-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: api-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: api-deployment + replicas: 1 + template: + metadata: + labels: + name: api-deployment + spec: + containers: + - name: api-container + image: ghcr.io/idaholab/malcolm/api:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + command: ["gunicorn"] + args: ["--bind", "0:5000", "manage:app"] + ports: + - name: http + protocol: TCP + containerPort: 5000 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: opensearch-env + env: + - name: VIRTUAL_HOST + value: "api.malcolm.local" + livenessProbe: + httpGet: + path: /mapi/ping + port: 5000 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: api-var-local-catrust-volume + - mountPath: /var/local/curlrc/secretmap + name: api-opensearch-curlrc-secret-volume + volumes: + - name: api-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: api-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc diff --git a/kubernetes/08-dashboards-helper.yml b/kubernetes/08-dashboards-helper.yml new file mode 100644 index 000000000..bdf8cb767 --- /dev/null +++ b/kubernetes/08-dashboards-helper.yml @@ -0,0 +1,76 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: dashboards-helper + namespace: malcolm +spec: + ports: + - port: 28991 + protocol: TCP + name: http + selector: + name: dashboards-helper-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dashboards-helper-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: dashboards-helper-deployment + replicas: 1 + template: + metadata: + labels: + name: dashboards-helper-deployment + spec: + containers: + - name: dashboards-helper-container + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: http + protocol: TCP + containerPort: 28991 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: opensearch-env + - configMapRef: + name: dashboards-helper-env + env: + - name: VIRTUAL_HOST + value: "dashboards-helper.malcolm.local" + livenessProbe: + exec: + command: + - supervisorctl + - status + - cron + - maps + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: dashboards-helper-var-local-catrust-volume + - mountPath: /var/local/curlrc/secretmap + name: dashboards-helper-opensearch-curlrc-secret-volume + volumes: + - name: dashboards-helper-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: dashboards-helper-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc diff --git a/kubernetes/09-zeek.yml b/kubernetes/09-zeek.yml new file mode 100644 index 000000000..edfc8a64d --- /dev/null +++ b/kubernetes/09-zeek.yml @@ -0,0 +1,81 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: zeek-offline-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: zeek-offline-deployment + replicas: 1 + template: + metadata: + labels: + name: zeek-offline-deployment + spec: + containers: + - name: zeek-offline-container + image: ghcr.io/idaholab/malcolm/zeek:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + securityContext: + capabilities: + add: + - IPC_LOCK + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + - SYS_RESOURCE + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: upload-common-env + - configMapRef: + name: zeek-env + - secretRef: + name: zeek-secret-env + - configMapRef: + name: zeek-offline-env + livenessProbe: + exec: + command: + - supervisorctl + - status + - pcap-zeek + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: zeek-offline-var-local-catrust-volume + - mountPath: "/pcap" + name: zeek-offline-pcap-volume + - mountPath: "/zeek/extract_files" + name: zeek-offline-zeek-volume + subPath: "extract_files" + - mountPath: "/zeek/upload" + name: zeek-offline-zeek-volume + subPath: "upload" + - mountPath: "/opt/zeek/share/zeek/site/intel" + name: zeek-offline-zeek-intel + subPath: "zeek/intel" + volumes: + - name: zeek-offline-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: zeek-offline-pcap-volume + persistentVolumeClaim: + claimName: pcap-claim + - name: zeek-offline-zeek-volume + persistentVolumeClaim: + claimName: zeek-claim + - name: zeek-offline-zeek-intel + persistentVolumeClaim: + claimName: config-claim diff --git a/kubernetes/10-suricata.yml b/kubernetes/10-suricata.yml new file mode 100644 index 000000000..d2208ab26 --- /dev/null +++ b/kubernetes/10-suricata.yml @@ -0,0 +1,74 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: suricata-offline-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: suricata-offline-deployment + replicas: 1 + template: + metadata: + labels: + name: suricata-offline-deployment + spec: + containers: + - name: suricata-offline-container + image: ghcr.io/idaholab/malcolm/suricata:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + securityContext: + capabilities: + add: + - IPC_LOCK + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + - SYS_RESOURCE + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: upload-common-env + - configMapRef: + name: suricata-env + - configMapRef: + name: suricata-offline-env + livenessProbe: + exec: + command: + - supervisorctl + - status + - pcap-suricata + initialDelaySeconds: 120 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: suricata-offline-var-local-catrust-volume + - mountPath: "/data/pcap" + name: suricata-offline-pcap-volume + - mountPath: "/var/log/suricata" + name: suricata-offline-suricata-logs-volume + - mountPath: "/opt/suricata/rules/configmap" + name: suricata-offline-custom-rules-volume + volumes: + - name: suricata-offline-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: suricata-offline-pcap-volume + persistentVolumeClaim: + claimName: pcap-claim + - name: suricata-offline-suricata-logs-volume + persistentVolumeClaim: + claimName: suricata-claim + - name: suricata-offline-custom-rules-volume + configMap: + name: suricata-rules \ No newline at end of file diff --git a/kubernetes/11-file-monitor.yml b/kubernetes/11-file-monitor.yml new file mode 100644 index 000000000..05b4227f1 --- /dev/null +++ b/kubernetes/11-file-monitor.yml @@ -0,0 +1,91 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: file-monitor + namespace: malcolm +spec: + ports: + - port: 3310 + protocol: TCP + name: clamav + - port: 8440 + protocol: TCP + name: http + selector: + name: file-monitor-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: file-monitor-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: file-monitor-deployment + replicas: 1 + template: + metadata: + labels: + name: file-monitor-deployment + spec: + containers: + - name: file-monitor-container + image: ghcr.io/idaholab/malcolm/file-monitor:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: clamav + containerPort: 3310 + protocol: TCP + - name: http + protocol: TCP + containerPort: 8440 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: zeek-env + - secretRef: + name: zeek-secret-env + env: + - name: VIRTUAL_HOST + value: "file-monitor.malcolm.local" + livenessProbe: + exec: + command: + - supervisorctl + - status + - watcher + - logger + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: file-monitor-var-local-catrust-volume + - mountPath: "/zeek/extract_files" + name: file-monitor-zeek-volume + subPath: "extract_files" + - mountPath: "/zeek/logs" + name: file-monitor-zeek-volume + subPath: "current" + - mountPath: "/yara-rules/custom/configmap" + name: file-monitor-yara-rules-custom-volume + volumes: + - name: file-monitor-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: file-monitor-zeek-volume + persistentVolumeClaim: + claimName: zeek-claim + - name: file-monitor-yara-rules-custom-volume + configMap: + name: yara-rules \ No newline at end of file diff --git a/kubernetes/12-filebeat.yml b/kubernetes/12-filebeat.yml new file mode 100644 index 000000000..aa073b19d --- /dev/null +++ b/kubernetes/12-filebeat.yml @@ -0,0 +1,101 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: filebeat + namespace: malcolm +spec: + type: ClusterIP + ports: + - port: 5045 + protocol: TCP + name: tcpjson + selector: + name: filebeat-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: filebeat-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: filebeat-deployment + replicas: 1 + template: + metadata: + labels: + name: filebeat-deployment + spec: + containers: + - name: filebeat-container + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: tcpjson + protocol: TCP + containerPort: 5045 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: nginx-env + - configMapRef: + name: opensearch-env + - configMapRef: + name: upload-common-env + - configMapRef: + name: beats-common-env + - configMapRef: + name: filebeat-env + livenessProbe: + exec: + command: + - supervisorctl + - status + - filebeat + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: filebeat-var-local-catrust-volume + - mountPath: /var/local/curlrc/secretmap + name: filebeat-opensearch-curlrc-secret-volume + - mountPath: /certs/secretmap + name: filebeat-certs-secret-volume + - mountPath: "/zeek" + name: filebeat-zeek-volume + - mountPath: "/suricata" + name: filebeat-suricata-volume + - name: filebeat-nginx-runtime-logs-volume + mountPath: /nginx + subPath: "nginx" + volumes: + - name: filebeat-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: filebeat-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc + - name: filebeat-certs-secret-volume + secret: + secretName: filebeat-certs + - name: filebeat-zeek-volume + persistentVolumeClaim: + claimName: zeek-claim + - name: filebeat-suricata-volume + persistentVolumeClaim: + claimName: suricata-claim + - name: filebeat-nginx-runtime-logs-volume + persistentVolumeClaim: + readOnly: true + claimName: runtime-logs-claim \ No newline at end of file diff --git a/kubernetes/13-logstash.yml b/kubernetes/13-logstash.yml new file mode 100644 index 000000000..56b9c256c --- /dev/null +++ b/kubernetes/13-logstash.yml @@ -0,0 +1,130 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: logstash + namespace: malcolm +spec: + type: ClusterIP + ports: + - port: 5044 + protocol: TCP + name: lumberjack + - port: 9001 + protocol: TCP + name: supervisord + - port: 9600 + protocol: TCP + name: http + selector: + name: logstash-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: logstash-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: logstash-deployment + replicas: 1 + template: + metadata: + labels: + name: logstash-deployment + spec: + # affinity: + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: name + # operator: In + # values: + # - opensearch-deployment + # topologyKey: "kubernetes.io/hostname" + containers: + - name: logstash-container + image: ghcr.io/idaholab/malcolm/logstash-oss:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + securityContext: + capabilities: + add: + - IPC_LOCK + - SYS_RESOURCE + ports: + - name: lumberjack + protocol: TCP + containerPort: 5044 + - name: supervisord + protocol: TCP + containerPort: 9001 + - name: http + protocol: TCP + containerPort: 9600 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: opensearch-env + - configMapRef: + name: netbox-common-env + - configMapRef: + name: netbox-env + - secretRef: + name: netbox-secret-env + - configMapRef: + name: beats-common-env + - configMapRef: + name: lookup-common-env + - configMapRef: + name: logstash-env + livenessProbe: + httpGet: + path: / + port: 9600 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: logstash-var-local-catrust-volume + - mountPath: /var/local/curlrc/secretmap + name: logstash-opensearch-curlrc-secret-volume + - mountPath: /certs/secretmap + name: logstash-certs-secret-volume + - mountPath: /etc/configmap + name: logstash-maps-volume + - name: logstash-keystore-default-secret-volume + mountPath: /usr/share/logstash/config/bootstrap/secretmap + - name: logstash-config-persist-volume + mountPath: /usr/share/logstash/config/persist + subPath: "logstash" + volumes: + - name: logstash-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: logstash-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc + - name: logstash-certs-secret-volume + secret: + secretName: logstash-certs + - name: logstash-maps-volume + configMap: + name: logstash-maps + - name: logstash-keystore-default-secret-volume + secret: + secretName: logstash-keystore + - name: logstash-config-persist-volume + persistentVolumeClaim: + claimName: config-claim \ No newline at end of file diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml new file mode 100644 index 000000000..9fceac45d --- /dev/null +++ b/kubernetes/15-netbox-redis.yml @@ -0,0 +1,83 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: netbox-redis + namespace: malcolm +spec: + ports: + - port: 6379 + protocol: TCP + name: redis + selector: + name: netbox-redis-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbox-redis-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: netbox-redis-deployment + replicas: 1 + template: + metadata: + labels: + name: netbox-redis-deployment + spec: + containers: + - name: netbox-redis-container + image: ghcr.io/idaholab/malcolm/redis:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + command: ["sh"] + args: ["-c", "redis-server --appendonly yes --requirepass $(REDIS_PASSWORD)"] + ports: + - name: redis + protocol: TCP + containerPort: 6379 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: netbox-common-env + - secretRef: + name: netbox-redis-env + env: + - name: VIRTUAL_HOST + value: "netbox-redis.malcolm.local" + livenessProbe: + exec: + command: + - sh + - "-c" + - | + /bin/bash <<'EOF' + + [[ "$NETBOX_REDIS_DISABLED" == 'true' ]] || ( pidof redis-server || exit 1 ) + + EOF + initialDelaySeconds: 45 + periodSeconds: 60 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: netbox-redis-var-local-catrust-volume + - mountPath: /data + name: netbox-redis-volume + subPath: netbox/redis + volumes: + - name: netbox-redis-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: netbox-redis-volume + persistentVolumeClaim: + claimName: config-claim \ No newline at end of file diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml new file mode 100644 index 000000000..1096ca615 --- /dev/null +++ b/kubernetes/16-netbox-redis-cache.yml @@ -0,0 +1,77 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: netbox-redis-cache + namespace: malcolm +spec: + ports: + - port: 6379 + protocol: TCP + name: redis + selector: + name: netbox-redis-cache-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbox-redis-cache-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: netbox-redis-cache-deployment + replicas: 1 + template: + metadata: + labels: + name: netbox-redis-cache-deployment + spec: + containers: + - name: netbox-redis-cache-container + image: ghcr.io/idaholab/malcolm/redis:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + command: ["sh"] + args: ["-c", "redis-server --requirepass $(REDIS_PASSWORD)"] + ports: + - name: redis + protocol: TCP + containerPort: 6379 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: netbox-common-env + - secretRef: + name: netbox-redis-cache-env + env: + - name: VIRTUAL_HOST + value: "netbox-redis-cache.malcolm.local" + livenessProbe: + exec: + command: + - sh + - "-c" + - | + /bin/bash <<'EOF' + + [[ "$NETBOX_REDIS_DISABLED" == 'true' ]] || ( pidof redis-server || exit 1 ) + + EOF + initialDelaySeconds: 45 + periodSeconds: 60 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: netbox-redis-cache-var-local-catrust-volume + volumes: + - name: netbox-redis-cache-var-local-catrust-volume + configMap: + name: var-local-catrust diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml new file mode 100644 index 000000000..5d5ad21a0 --- /dev/null +++ b/kubernetes/17-netbox-postgres.yml @@ -0,0 +1,81 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: netbox-postgres + namespace: malcolm +spec: + ports: + - port: 5432 + protocol: TCP + name: postgresql + selector: + name: netbox-postgres-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbox-postgres-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: netbox-postgres-deployment + replicas: 1 + template: + metadata: + labels: + name: netbox-postgres-deployment + spec: + containers: + - name: netbox-postgres-container + image: ghcr.io/idaholab/malcolm/postgresql:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: postgresql + protocol: TCP + containerPort: 5432 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: netbox-common-env + - secretRef: + name: netbox-postgres-env + env: + - name: VIRTUAL_HOST + value: "netbox-postgres.malcolm.local" + livenessProbe: + exec: + command: + - sh + - "-c" + - | + /bin/bash <<'EOF' + + [[ "$NETBOX_POSTGRES_DISABLED" == 'true' ]] || pg_isready -d "$POSTGRES_DB" -U "$POSTGRES_USER" + + EOF + initialDelaySeconds: 90 + periodSeconds: 60 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: netbox-postgres-var-local-catrust-volume + - mountPath: /var/lib/postgresql/data + name: netbox-postgres-volume + subPath: netbox/postgres + volumes: + - name: netbox-postgres-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: netbox-postgres-volume + persistentVolumeClaim: + claimName: config-claim \ No newline at end of file diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml new file mode 100644 index 000000000..d22b3f7ac --- /dev/null +++ b/kubernetes/18-netbox.yml @@ -0,0 +1,110 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: netbox + namespace: malcolm +spec: + ports: + - port: 8080 + protocol: TCP + name: http-main + - port: 8081 + protocol: TCP + name: http-status + - port: 9001 + protocol: TCP + name: supervisord + selector: + name: netbox-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbox-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: netbox-deployment + replicas: 1 + template: + metadata: + labels: + name: netbox-deployment + spec: + containers: + - name: netbox-container + image: ghcr.io/idaholab/malcolm/netbox:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: http-main + protocol: TCP + containerPort: 8080 + - name: http-status + protocol: TCP + containerPort: 8081 + - name: supervisord + protocol: TCP + containerPort: 9001 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: netbox-common-env + - configMapRef: + name: netbox-env + - secretRef: + name: netbox-secret-env + env: + - name: VIRTUAL_HOST + value: "netbox.malcolm.local" + livenessProbe: + httpGet: + path: /netbox/api/ + port: 8080 + scheme: HTTP + initialDelaySeconds: 300 + periodSeconds: 60 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: netbox-var-local-catrust-volume + - mountPath: /usr/local/share/configmap + name: netbox-netmap-json-volume + - mountPath: /etc/netbox/config/configmap + name: netbox-config-volume + - mountPath: /etc/netbox/reports/configmap + name: netbox-reports-volume + - mountPath: /etc/netbox/scripts/configmap + name: netbox-scripts-volume + - mountPath: /opt/netbox/netbox/media + name: netbox-media-volume + subPath: netbox/media + volumes: + - name: netbox-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: netbox-netmap-json-volume + configMap: + name: netbox-netmap-json + - name: netbox-config-volume + configMap: + name: netbox-config + - name: netbox-reports-volume + configMap: + name: netbox-reports + - name: netbox-scripts-volume + configMap: + name: netbox-scripts + - name: netbox-media-volume + persistentVolumeClaim: + claimName: config-claim + diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml new file mode 100644 index 000000000..0bfc8348a --- /dev/null +++ b/kubernetes/19-htadmin.yml @@ -0,0 +1,77 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: htadmin + namespace: malcolm +spec: + ports: + - port: 80 + protocol: TCP + name: http + selector: + name: htadmin-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: htadmin-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: htadmin-deployment + replicas: 1 + template: + metadata: + labels: + name: htadmin-deployment + spec: + containers: + - name: htadmin-container + image: ghcr.io/idaholab/malcolm/htadmin:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: http + protocol: TCP + containerPort: 80 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: auth-common-env + env: + - name: VIRTUAL_HOST + value: "htadmin.malcolm.local" + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: htadmin-var-local-catrust-volume + - mountPath: /var/www/htadmin/auth + name: htadmin-config-volume + subPath: "auth" + - mountPath: /var/www/htadmin/default/configmap + name: htadmin-config-default-volume + - mountPath: /var/www/htadmin/default/secretmap + name: htadmin-config-default-secret-volume + - mountPath: /var/www/htadmin/config + name: htadmin-config-volume + subPath: "htadmin" + volumes: + - name: htadmin-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: htadmin-config-volume + persistentVolumeClaim: + claimName: config-claim + - name: htadmin-config-default-volume + configMap: + name: htadmin-config + - name: htadmin-config-default-secret-volume + secret: + secretName: htadmin-config + diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml new file mode 100644 index 000000000..5c9b21f3f --- /dev/null +++ b/kubernetes/20-pcap-capture.yml @@ -0,0 +1,53 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pcap-capture-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: pcap-capture-deployment + replicas: 1 + template: + metadata: + labels: + name: pcap-capture-deployment + spec: + containers: + - name: pcap-capture-container + image: ghcr.io/idaholab/malcolm/pcap-capture:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + securityContext: + capabilities: + add: + - IPC_LOCK + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + - SYS_RESOURCE + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: pcap-capture-env + env: + - name: PCAP_CAPTURE_DISABLED + value: "true" + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: capture-var-local-catrust-volume + - mountPath: "/pcap" + name: capture-pcap-volume + subPath: "upload" + volumes: + - name: capture-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: capture-pcap-volume + persistentVolumeClaim: + claimName: pcap-claim diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml new file mode 100644 index 000000000..f67b32625 --- /dev/null +++ b/kubernetes/21-zeek-live.yml @@ -0,0 +1,55 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: zeek-live-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: zeek-live-deployment + replicas: 1 + template: + metadata: + labels: + name: zeek-live-deployment + spec: + containers: + - name: zeek-live-container + image: ghcr.io/idaholab/malcolm/zeek:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + securityContext: + capabilities: + add: + - IPC_LOCK + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + - SYS_RESOURCE + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: upload-common-env + - configMapRef: + name: zeek-env + - secretRef: + name: zeek-secret-env + - configMapRef: + name: zeek-live-env + - configMapRef: + name: pcap-capture-env + env: + - name: ZEEK_DISABLED + value: "true" + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: zeek-live-var-local-catrust-volume + volumes: + - name: zeek-live-var-local-catrust-volume + configMap: + name: var-local-catrust diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml new file mode 100644 index 000000000..d0fa77305 --- /dev/null +++ b/kubernetes/22-suricata-live.yml @@ -0,0 +1,53 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: suricata-live-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: suricata-live-deployment + replicas: 1 + template: + metadata: + labels: + name: suricata-live-deployment + spec: + containers: + - name: suricata-live-container + image: ghcr.io/idaholab/malcolm/suricata:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + securityContext: + capabilities: + add: + - IPC_LOCK + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + - SYS_RESOURCE + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: upload-common-env + - configMapRef: + name: suricata-env + - configMapRef: + name: suricata-live-env + - configMapRef: + name: pcap-capture-env + env: + - name: SURICATA_DISABLED + value: "true" + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: suricata-live-var-local-catrust-volume + volumes: + - name: suricata-live-var-local-catrust-volume + configMap: + name: var-local-catrust diff --git a/kubernetes/23-freq.yml b/kubernetes/23-freq.yml new file mode 100644 index 000000000..c515bd917 --- /dev/null +++ b/kubernetes/23-freq.yml @@ -0,0 +1,67 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: freq + namespace: malcolm +spec: + ports: + - port: 10004 + protocol: TCP + name: http + selector: + name: freq-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: freq-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: freq-deployment + replicas: 1 + template: + metadata: + labels: + name: freq-deployment + spec: + containers: + - name: freq-container + image: ghcr.io/idaholab/malcolm/freq:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: http + protocol: TCP + containerPort: 10004 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: lookup-common-env + env: + - name: VIRTUAL_HOST + value: "freq.malcolm.local" + livenessProbe: + httpGet: + path: / + port: 10004 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: freq-var-local-catrust-volume + volumes: + - name: freq-var-local-catrust-volume + configMap: + name: var-local-catrust diff --git a/kubernetes/99-nginx-proxy.yml b/kubernetes/99-nginx-proxy.yml new file mode 100644 index 000000000..ccd1d5124 --- /dev/null +++ b/kubernetes/99-nginx-proxy.yml @@ -0,0 +1,121 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-proxy + namespace: malcolm +spec: + type: ClusterIP + ports: + - port: 443 + protocol: TCP + name: https + - port: 8443 + protocol: TCP + name: http + - port: 9200 + protocol: TCP + name: opensearch + selector: + name: nginx-proxy-deployment + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-proxy-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: nginx-proxy-deployment + replicas: 1 + template: + metadata: + labels: + name: nginx-proxy-deployment + spec: + containers: + - name: nginx-proxy-container + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.05.0 + imagePullPolicy: Always + stdin: false + tty: true + ports: + - name: https + protocol: TCP + containerPort: 443 + - name: http + protocol: TCP + containerPort: 8443 + - name: opensearch + protocol: TCP + containerPort: 9200 + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: auth-common-env + - configMapRef: + name: nginx-env + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 120 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 10 + volumeMounts: + - name: nginx-etc-nginx-volume + mountPath: /etc/nginx/configmap + - name: nginx-etc-nginx-secret-volume + mountPath: /etc/nginx/secretmap + - name: nginx-var-local-catrust-volume + mountPath: /var/local/ca-trust/configmap + - name: nginx-etc-nginx-certs-secret-volume + mountPath: /etc/nginx/certs/secretmap + - name: nginx-etc-nginx-certs-pem-volume + mountPath: /etc/nginx/dhparam/configmap + - name: nginx-opensearch-curlrc-secret-volume + mountPath: /var/local/curlrc/secretmap + - name: nginx-etc-auth-volume + mountPath: /etc/nginx/auth + subPath: "auth" + - name: nginx-etc-auth-default-secret-volume + mountPath: /tmp/auth/default/secretmap + - name: nginx-runtime-logs-volume + mountPath: /var/log/nginx + subPath: "nginx" + volumes: + - name: nginx-etc-nginx-volume + configMap: + name: etc-nginx + - name: nginx-etc-nginx-secret-volume + secret: + secretName: etc-nginx + - name: nginx-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: nginx-etc-nginx-certs-secret-volume + secret: + secretName: etc-nginx-certs + - name: nginx-etc-nginx-certs-pem-volume + configMap: + name: etc-nginx-certs-pem + - name: nginx-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc + - name: nginx-etc-auth-volume + persistentVolumeClaim: + claimName: config-claim + - name: nginx-etc-auth-default-secret-volume + secret: + secretName: etc-nginx-auth + - name: nginx-runtime-logs-volume + persistentVolumeClaim: + claimName: runtime-logs-claim \ No newline at end of file diff --git a/kubernetes/vagrant/.gitignore b/kubernetes/vagrant/.gitignore new file mode 100644 index 000000000..86a37fb65 --- /dev/null +++ b/kubernetes/vagrant/.gitignore @@ -0,0 +1,2 @@ +.vagrant + diff --git a/kubernetes/vagrant/Vagrantfile b/kubernetes/vagrant/Vagrantfile new file mode 100644 index 000000000..77e2e2b61 --- /dev/null +++ b/kubernetes/vagrant/Vagrantfile @@ -0,0 +1,204 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# +# This Vagrantfile facilitates testing Malcolm's kubernetes deployment +# by providing a simple virtualized 3 node k3s cluster. +# Not for production use. +# + +unless Vagrant.has_plugin?("vagrant-reload") + raise 'vagrant-reload plugin is not installed!' +end + +server_ip = "192.168.56.10" +server_hostname = "server.k3s.internal" +load_balancer_additional_ports = "{\\\"appProtocol\\\": \\\"tcp\\\", \\\"name\\\": \\\"lumberjack\\\", \\\"port\\\": 5044, \\\"targetPort\\\": 5044, \\\"protocol\\\": \\\"TCP\\\"}, {\\\"appProtocol\\\": \\\"tcp\\\", \\\"name\\\": \\\"tcpjson\\\", \\\"port\\\": 5045, \\\"targetPort\\\": 5045, \\\"protocol\\\": \\\"TCP\\\"}, {\\\"appProtocol\\\": \\\"tcp\\\", \\\"name\\\": \\\"sftp\\\", \\\"port\\\": 8022, \\\"targetPort\\\": 8022, \\\"protocol\\\": \\\"TCP\\\"}, {\\\"appProtocol\\\": \\\"tcp\\\", \\\"name\\\": \\\"opensearch\\\", \\\"port\\\": 9200, \\\"targetPort\\\": 9200, \\\"protocol\\\": \\\"TCP\\\"}" +deployment_additional_ports = "{\\\"name\\\": \\\"lumberjack\\\", \\\"containerPort\\\": 5044, \\\"protocol\\\": \\\"TCP\\\"}, {\\\"name\\\": \\\"tcpjson\\\", \\\"containerPort\\\": 5045, \\\"protocol\\\": \\\"TCP\\\"}, {\\\"name\\\": \\\"sftp\\\", \\\"containerPort\\\": 8022, \\\"protocol\\\": \\\"TCP\\\"}, {\\\"name\\\": \\\"opensearch\\\", \\\"containerPort\\\": 9200, \\\"protocol\\\": \\\"TCP\\\"}" + +agents = { "agent1" => "192.168.56.11", + "agent2" => "192.168.56.12" } + +common_script_0 = <<-SHELL + sudo -i + apt-get -qqy update + apt-get -y install --no-install-recommends \ + apt-transport-https \ + bat \ + ca-certificates \ + curl \ + fd-find \ + git \ + gnupg2 \ + iptables \ + jq \ + moreutils \ + ripgrep \ + software-properties-common + curl -sSL -o /usr/bin/yq "https://github.com/mikefarah/yq/releases/latest/download/yq_"$(uname -s | tr '[:upper:]' '[:lower:]')"_"$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')"" && \ + chmod 755 /usr/bin/yq + cat >> /etc/security/limits.d/limits.conf <> /etc/sysctl.conf <> /etc/hosts + export INSTALL_K3S_EXEC="server --disable traefik --bind-address=#{server_ip} --node-external-ip=#{server_ip} --flannel-iface=eth1" + curl -sfL https://get.k3s.io | sh - + echo "Waiting for k3s to start..." + sleep 30 + curl -sSL -o /tmp/deploy_nginx.yaml https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml + yq -i '( select(.kind == "Deployment").spec.template.spec.containers[].args[] | select(contains("/nginx-ingress-controller")) | parent ) += ["--enable-ssl-passthrough", "--tcp-services-configmap=ingress-nginx/tcp-services"]' /tmp/deploy_nginx.yaml + yq -i "( select(.kind == \\"Deployment\\").spec.template.spec.containers[].args[] | select(contains(\\"/nginx-ingress-controller\\")) | parent | parent | .ports ) += [#{deployment_additional_ports}]" /tmp/deploy_nginx.yaml + yq -i "( select(.kind == \\"Service\\" and .spec.type == \\"LoadBalancer\\").spec.ports ) += [#{load_balancer_additional_ports}]" /tmp/deploy_nginx.yaml + kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml apply -f /tmp/deploy_nginx.yaml + until [ -f /var/lib/rancher/k3s/server/token ] && [ -f /etc/rancher/k3s/k3s.yaml ]; do sleep 5; done + cp -v /var/lib/rancher/k3s/server/token /vagrant_shared + cp -v /etc/rancher/k3s/k3s.yaml /vagrant_shared + SHELL + +agent_script_1 = <<-SHELL + sudo -i + echo "#{server_ip} #{server_hostname}" >> /etc/hosts + export K3S_TOKEN_FILE=/vagrant_shared/token + export K3S_URL=https://#{server_ip}:6443 + export INSTALL_K3S_EXEC="--flannel-iface=eth1" + echo "Waiting for k3s server..." + until [ -f /vagrant_shared/token ]; do sleep 5; done + curl -sfL https://get.k3s.io | sh - + SHELL + +Vagrant.configure("2") do |config| + config.vm.box = "bento/debian-11" + config.ssh.config = "ssh_config" + + config.vm.define "server", primary: true do |server| + server.vm.network "private_network", ip: server_ip + server.vm.network :forwarded_port, guest: 6443, host: 6443 + for p in 30000..30100 + server.vm.network :forwarded_port, guest: p, host: p, protocol: "tcp" + end + server.vm.synced_folder '.', '/vagrant', disabled: true + server.vm.synced_folder "./shared", "/vagrant_shared", type: "sshfs", disabled: false + server.vm.hostname = "server" + + server.vm.provider :libvirt do |vm| + vm.cpus = 2 + vm.memory = 4096 + end + server.vm.provider :virtualbox do |vm| + vm.cpus = 2 + vm.memory = 4096 + end + server.vm.provider :vmware_desktop do |vm| + vm.cpus = 2 + vm.memory = 4096 + end + server.vm.provider :vmware_fusion do |vm| + vm.cpus = 2 + vm.memory = 4096 + end + + server.vm.provision "shell", inline: server_script_0 + server.vm.provision "shell", inline: common_script_0 + server.vm.provision :reload + server.vm.provision "shell", inline: server_script_1 + end + + agents.each do |agent_name, agent_ip| + config.vm.define agent_name do |agent| + agent.vm.network "private_network", ip: agent_ip + agent.vm.synced_folder '.', '/vagrant', disabled: true + agent.vm.synced_folder "./shared", "/vagrant_shared", type: "sshfs", disabled: false + agent.vm.hostname = agent_name + + agent.vm.provider :libvirt do |vm| + vm.cpus = 4 + vm.memory = 12288 + end + agent.vm.provider :virtualbox do |vm| + vm.cpus = 4 + vm.memory = 12288 + end + agent.vm.provider :vmware_desktop do |vm| + vm.cpus = 4 + vm.memory = 12288 + end + agent.vm.provider :vmware_fusion do |vm| + vm.cpus = 4 + vm.memory = 12288 + end + + agent.vm.provision "shell", inline: common_script_0 + agent.vm.provision :reload + agent.vm.provision "shell", inline: agent_script_1 + end + end +end + diff --git a/kubernetes/vagrant/shared/.gitignore b/kubernetes/vagrant/shared/.gitignore new file mode 100644 index 000000000..a5baada18 --- /dev/null +++ b/kubernetes/vagrant/shared/.gitignore @@ -0,0 +1,3 @@ +* +!.gitignore + diff --git a/kubernetes/vagrant/ssh_config b/kubernetes/vagrant/ssh_config new file mode 100644 index 000000000..10ff23648 --- /dev/null +++ b/kubernetes/vagrant/ssh_config @@ -0,0 +1,3 @@ +Host * + IdentitiesOnly yes + GSSAPIAuthentication no diff --git a/logstash/maps/zeek_log_ecs_categories.yaml b/logstash/maps/zeek_log_ecs_categories.yaml index 5c9cdcf55..f755ad5ab 100644 --- a/logstash/maps/zeek_log_ecs_categories.yaml +++ b/logstash/maps/zeek_log_ecs_categories.yaml @@ -81,6 +81,13 @@ "stun": ["network"] "stun_nat": ["network"] "syslog": ["network"] +"synchrophasor": ["ot", "network"] +"synchrophasor_cfg": ["ot", "network"] +"synchrophasor_cfg_detail": ["ot", "network"] +"synchrophasor_cmd": ["ot", "network"] +"synchrophasor_data": ["ot", "network"] +"synchrophasor_data_detail": ["ot", "network"] +"synchrophasor_hdr": ["ot", "network"] "tds": ["database", "network"] "tds_rpc": ["database", "network"] "tds_sql_batch": ["database", "network"] diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf index 2c6f1203b..f1d530ef6 100644 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ b/logstash/pipelines/zeek/11_zeek_parse.conf @@ -3218,6 +3218,245 @@ filter { } } + } else if ([log_source] == "synchrophasor") { + ############################################################################################################################# + # synchrophasor.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + dissect { + id => "dissect_zeek_synchrophasor" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][version]} %{[zeek_cols][data_stream_id]} %{[zeek_cols][history]} %{[zeek_cols][frame_size_min]} %{[zeek_cols][frame_size_max]} %{[zeek_cols][frame_size_tot]} %{[zeek_cols][data_frame_count]} %{[zeek_cols][data_rate]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor" + init => "$zeek_synchrophasor_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'version', 'data_stream_id', 'history', 'frame_size_min', 'frame_size_max', 'frame_size_tot', 'data_frame_count', 'data_rate' ]" + code => "event.set('[zeek_cols]', $zeek_synchrophasor_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + + } else if ([log_source] == "synchrophasor_cmd") { + ############################################################################################################################# + # synchrophasor_cmd.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + dissect { + id => "dissect_zeek_synchrophasor_cmd" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][command]} %{[zeek_cols][extframe]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_cmd" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_cmd" + init => "$zeek_synchrophasor_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'command', 'extframe' ]" + code => "event.set('[zeek_cols]', $zeek_synchrophasor_cmd_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_cmd" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_cfg") { + ############################################################################################################################# + # synchrophasor_cfg.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + dissect { + id => "dissect_zeek_synchrophasor_cfg" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cont_idx]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_rate]} %{[zeek_cols][cfg_frame_id]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_cfg" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_cfg" + init => "$zeek_synchrophasor_cfg_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'cont_idx', 'pmu_count_expected', 'pmu_count_actual', 'data_rate', 'cfg_frame_id' ]" + code => "event.set('[zeek_cols]', $zeek_synchrophasor_cfg_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_cfg" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_cfg_detail") { + ############################################################################################################################# + # synchrophasor_cfg_detail.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + dissect { + id => "dissect_zeek_synchrophasor_cfg_detail" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cfg_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][svc_class]} %{[zeek_cols][station_name]} %{[zeek_cols][data_source_id]} %{[zeek_cols][global_pmuid]} %{[zeek_cols][phasor_shape]} %{[zeek_cols][phasor_format]} %{[zeek_cols][analog_format]} %{[zeek_cols][freq_format]} %{[zeek_cols][phnmr]} %{[zeek_cols][annmr]} %{[zeek_cols][dgnmr]} %{[zeek_cols][phnam]} %{[zeek_cols][annam]} %{[zeek_cols][dgnam]} %{[zeek_cols][phasor_conv_phunit]} %{[zeek_cols][phasor_conv_phvalue]} %{[zeek_cols][phasor_conv_upsampled_interpolation]} %{[zeek_cols][phasor_conv_upsampled_extrapolation]} %{[zeek_cols][phasor_conv_downsampled_reselection]} %{[zeek_cols][phasor_conv_downsampled_fir_filter]} %{[zeek_cols][phasor_conv_downsampled_no_fir_filter]} %{[zeek_cols][phasor_conv_filtered_without_changing_sampling]} %{[zeek_cols][phasor_conv_calibration_mag_adj]} %{[zeek_cols][phasor_conv_calibration_phas_adj]} %{[zeek_cols][phasor_conv_rotation_phase_adj]} %{[zeek_cols][phasor_conv_pseudo_phasor_val]} %{[zeek_cols][phasor_conv_mod_appl]} %{[zeek_cols][phasor_conv_phasor_component]} %{[zeek_cols][phasor_conv_phasor_type]} %{[zeek_cols][phasor_conv_user_def]} %{[zeek_cols][phasor_conv_scale_factor]} %{[zeek_cols][phasor_conv_angle_adj]} %{[zeek_cols][analog_conv_analog_flags]} %{[zeek_cols][analog_conv_user_defined_scaling]} %{[zeek_cols][analog_conv_mag_scale]} %{[zeek_cols][analog_conv_offset]} %{[zeek_cols][digital_conv_normal_status_mask]} %{[zeek_cols][digital_conv_valid_inputs_mask]} %{[zeek_cols][pmu_lat]} %{[zeek_cols][pmu_lon]} %{[zeek_cols][pmu_elev]} %{[zeek_cols][window]} %{[zeek_cols][group_delay]} %{[zeek_cols][fnom]} %{[zeek_cols][cfgcnt]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_cfg_detail" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_cfg_detail" + init => "$zeek_synchrophasor_cfg_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'cfg_frame_id', 'pmu_idx', 'svc_class', 'station_name', 'data_source_id', 'global_pmuid', 'phasor_shape', 'phasor_format', 'analog_format', 'freq_format', 'phnmr', 'annmr', 'dgnmr', 'phnam', 'annam', 'dgnam', 'phasor_conv_phunit', 'phasor_conv_phvalue', 'phasor_conv_upsampled_interpolation', 'phasor_conv_upsampled_extrapolation', 'phasor_conv_downsampled_reselection', 'phasor_conv_downsampled_fir_filter', 'phasor_conv_downsampled_no_fir_filter', 'phasor_conv_filtered_without_changing_sampling', 'phasor_conv_calibration_mag_adj', 'phasor_conv_calibration_phas_adj', 'phasor_conv_rotation_phase_adj', 'phasor_conv_pseudo_phasor_val', 'phasor_conv_mod_appl', 'phasor_conv_phasor_component', 'phasor_conv_phasor_type', 'phasor_conv_user_def', 'phasor_conv_scale_factor', 'phasor_conv_angle_adj', 'analog_conv_analog_flags', 'analog_conv_user_defined_scaling', 'analog_conv_mag_scale', 'analog_conv_offset', 'digital_conv_normal_status_mask', 'digital_conv_valid_inputs_mask', 'pmu_lat', 'pmu_lon', 'pmu_elev', 'window', 'group_delay', 'fnom', 'cfgcnt' ]" + code => "event.set('[zeek_cols]', $zeek_synchrophasor_cfg_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_cfg_detail" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_data") { + ############################################################################################################################# + # synchrophasor_data.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + dissect { + id => "dissect_zeek_synchrophasor_data" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_frame_id]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_data" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_data" + init => "$zeek_synchrophasor_data_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'pmu_count_expected', 'pmu_count_actual', 'data_frame_id' ]" + code => "event.set('[zeek_cols]', $zeek_synchrophasor_data_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_data" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_data_detail") { + ############################################################################################################################# + # synchrophasor_data_detail.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + dissect { + id => "dissect_zeek_synchrophasor_data_detail" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][trigger_reason]} %{[zeek_cols][unlocked_time]} %{[zeek_cols][pmu_time_quality]} %{[zeek_cols][data_modified]} %{[zeek_cols][config_change]} %{[zeek_cols][pmu_trigger_pickup]} %{[zeek_cols][data_sorting_type]} %{[zeek_cols][pmu_sync_error]} %{[zeek_cols][data_error_indicator]} %{[zeek_cols][est_rectangular_real]} %{[zeek_cols][est_rectangular_imaginary]} %{[zeek_cols][est_polar_magnitude]} %{[zeek_cols][est_polar_angle]} %{[zeek_cols][freq_dev_mhz]} %{[zeek_cols][rocof]} %{[zeek_cols][analog_data]} %{[zeek_cols][digital]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_data_detail" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_data_detail" + init => "$zeek_synchrophasor_data_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'data_frame_id', 'pmu_idx', 'trigger_reason', 'unlocked_time', 'pmu_time_quality', 'data_modified', 'config_change', 'pmu_trigger_pickup', 'data_sorting_type', 'pmu_sync_error', 'data_error_indicator', 'est_rectangular_real', 'est_rectangular_imaginary', 'est_polar_magnitude', 'est_polar_angle', 'freq_dev_mhz', 'rocof', 'analog_data', 'digital' ]" + code => "event.set('[zeek_cols]', $zeek_synchrophasor_data_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_data_detail" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_hdr") { + ############################################################################################################################# + # synchrophasor_hdr.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + dissect { + id => "dissect_zeek_synchrophasor_hdr" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_hdr" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_hdr" + init => "$zeek_synchrophasor_hdr_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'data' ]" + code => "event.set('[zeek_cols]', $zeek_synchrophasor_hdr_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_hdr" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + } else if ([log_source] == "syslog") { ############################################################################################################################# # syslog.log diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf index 54a454ce8..7e56a04e7 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/12_zeek_mutate.conf @@ -2153,6 +2153,76 @@ filter { if ([zeek][stun_nat][wan_port]) { mutate { id => "mutate_add_field_ecs_zeek_stun_nat_wan_port" add_field => { "[source][nat][port]" => "%{[zeek][stun_nat][wan_port]}" } } } + } else if ([log_source] =~ /^synchrophasor/) { + + mutate { + id => "mutate_rename_synchrophasor_fields" + rename => { "[zeek][synchrophasor_cfg][data_rate]" => "[zeek][synchrophasor][data_rate]" } + rename => { "[zeek][synchrophasor_cfg][frame_size]" => "[zeek][synchrophasor][frame_size]" } + rename => { "[zeek][synchrophasor_cfg][frame_type]" => "[zeek][synchrophasor][frame_type]" } + rename => { "[zeek][synchrophasor_cfg][header_time_stamp]" => "[zeek][synchrophasor][header_time_stamp]" } + rename => { "[zeek][synchrophasor_cfg_detail][frame_type]" => "[zeek][synchrophasor][frame_type]" } + rename => { "[zeek][synchrophasor_cfg_detail][header_time_stamp]" => "[zeek][synchrophasor][header_time_stamp]" } + rename => { "[zeek][synchrophasor_cmd][frame_size]" => "[zeek][synchrophasor][frame_size]" } + rename => { "[zeek][synchrophasor_cmd][frame_type]" => "[zeek][synchrophasor][frame_type]" } + rename => { "[zeek][synchrophasor_cmd][header_time_stamp]" => "[zeek][synchrophasor][header_time_stamp]" } + rename => { "[zeek][synchrophasor_data][frame_size]" => "[zeek][synchrophasor][frame_size]" } + rename => { "[zeek][synchrophasor_data][frame_type]" => "[zeek][synchrophasor][frame_type]" } + rename => { "[zeek][synchrophasor_data][header_time_stamp]" => "[zeek][synchrophasor][header_time_stamp]" } + rename => { "[zeek][synchrophasor_data_detail][frame_type]" => "[zeek][synchrophasor][frame_type]" } + rename => { "[zeek][synchrophasor_data_detail][header_time_stamp]" => "[zeek][synchrophasor][header_time_stamp]" } + rename => { "[zeek][synchrophasor_hdr][frame_size]" => "[zeek][synchrophasor][frame_size]" } + rename => { "[zeek][synchrophasor_hdr][frame_type]" => "[zeek][synchrophasor][frame_type]" } + rename => { "[zeek][synchrophasor_hdr][header_time_stamp]" => "[zeek][synchrophasor][header_time_stamp]" } + } + + mutate { + id => "mutate_split_synchrophasor_fields" + split => { "[zeek][synchrophasor_cfg_detail][analog_conv_analog_flags]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][analog_conv_mag_scale]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][analog_conv_offset]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][analog_conv_user_defined_scaling]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][annam]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][dgnam]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][digital_conv_normal_status_mask]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][digital_conv_valid_inputs_mask]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_angle_adj]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_calibration_mag_adj]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_calibration_phas_adj]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_downsampled_fir_filter]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_downsampled_no_fir_filter]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_downsampled_reselection]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_filtered_without_changing_sampling]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_mod_appl]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_phasor_component]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_phasor_type]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_phunit]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_phvalue]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_pseudo_phasor_val]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_rotation_phase_adj]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_scale_factor]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_upsampled_extrapolation]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_upsampled_interpolation]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phasor_conv_user_def]" => "," } + split => { "[zeek][synchrophasor_cfg_detail][phnam]" => "," } + split => { "[zeek][synchrophasor_cmd][extframe]" => "," } + split => { "[zeek][synchrophasor_data_detail][analog_data]" => "," } + split => { "[zeek][synchrophasor_data_detail][digital]" => "," } + split => { "[zeek][synchrophasor_data_detail][est_polar_angle]" => "," } + split => { "[zeek][synchrophasor_data_detail][est_polar_magnitude]" => "," } + split => { "[zeek][synchrophasor_data_detail][est_rectangular_imaginary]" => "," } + split => { "[zeek][synchrophasor_data_detail][est_rectangular_real]" => "," } + } + + if ([zeek][synchrophasor][frame_size]) { + mutate { id => "mutate_add_field_totDataBytes_zeek_synchrophasor_frame_size" + add_field => { "[totDataBytes]" => "%{[zeek][synchrophasor][frame_size]}" } } + } + if ([zeek][synchrophasor][frame_size_tot]) { + mutate { id => "mutate_add_field_totDataBytes_zeek_synchrophasor_frame_size_tot" + add_field => { "[totDataBytes]" => "%{[zeek][synchrophasor][frame_size_tot]}" } } + } + } else if ([log_source] == "tds_rpc") { ############################################################################################################################# # tds_rpc.log specific logic diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf index f5d55ed3e..f06162037 100644 --- a/logstash/pipelines/zeek/13_zeek_normalize.conf +++ b/logstash/pipelines/zeek/13_zeek_normalize.conf @@ -155,6 +155,9 @@ filter { if ([zeek][ssl][ssl_version]) { mutate { id => "mutate_merge_normalize_zeek_ssl_ssl_version" merge => { "[network][protocol_version]" => "[zeek][ssl][ssl_version]" } } } + if ([zeek][synchrophasor][version]) { mutate { id => "mutate_merge_normalize_zeek_synchrophasor_version" + merge => { "[network][protocol_version]" => "[zeek][synchrophasor][version]" } } } + # Action ############################################################################################################ # collect all actions/operations/commands under the parent [event][action] array @@ -600,6 +603,9 @@ filter { if ([zeek][stun][method]) { mutate { id => "mutate_merge_normalize_zeek_stun_method" merge => { "[event][action]" => "[zeek][stun][method]" } } } + if ([zeek][synchrophasor_cmd][command]) { mutate { id => "mutate_merge_normalize_zeek_synchrophasor_cmd_command" + merge => { "[event][action]" => "[zeek][synchrophasor_cmd][command]" } } } + if ([zeek][tds][command]) { mutate { id => "mutate_merge_normalize_zeek_tds_command" merge => { "[event][action]" => "[zeek][tds][command]" } } } diff --git a/logstash/pipelines/zeek/14_zeek_convert.conf b/logstash/pipelines/zeek/14_zeek_convert.conf index c460184b0..51e9b2dfb 100644 --- a/logstash/pipelines/zeek/14_zeek_convert.conf +++ b/logstash/pipelines/zeek/14_zeek_convert.conf @@ -373,6 +373,19 @@ filter { } } + if ([zeek][synchrophasor][header_time_stamp]) { + if ([zeek][synchrophasor][header_time_stamp] == "0.000000") { + mutate { id => "mutate_remove_field_zeek_synchrophasor_header_time_stamp" + remove_field => [ "[zeek][synchrophasor][header_time_stamp]" ] } + } else { + date { + id => "date_zeek_synchrophasor_header_time_stamp" + match => [ "[zeek][synchrophasor][header_time_stamp]", "UNIX" ] + target => "[zeek][synchrophasor][header_time_stamp]" + } + } + } + if ([zeek][x509][certificate_not_valid_after]) { if ([zeek][x509][certificate_not_valid_after] == "0.000000") { mutate { id => "mutate_remove_field_zeek_x509_certificate_not_valid_after_zero" diff --git a/logstash/scripts/ip-to-segment-logstash.py b/logstash/scripts/ip-to-segment-logstash.py deleted file mode 100755 index bbeff56f0..000000000 --- a/logstash/scripts/ip-to-segment-logstash.py +++ /dev/null @@ -1,305 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- - -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -import sys -import os -import re -import argparse -import struct -import ipaddress -import itertools -import json -import pprint -import uuid -from collections import defaultdict - -UNSPECIFIED_TAG = '<~<~~>~>' -DEVICE_LIST_IDX = 0 -SEGMENT_LIST_IDX = 1 - -JSON_MAP_TYPE_SEGMENT = 'segment' -JSON_MAP_TYPE_DEVICE = 'host' -JSON_MAP_KEY_ADDR = 'address' -JSON_MAP_KEY_NAME = 'name' -JSON_MAP_KEY_TAG = 'tag' -JSON_MAP_KEY_TYPE = 'type' - -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) - - -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ('yes', 'true', 't', 'y', '1'): - return True - elif v.lower() in ('no', 'false', 'f', 'n', '0'): - return False - else: - raise argparse.ArgumentTypeError('Boolean value expected.') - - -################################################################################################### -# main -def main(): - - # extract arguments from the command line - # print (sys.argv[1:]); - parser = argparse.ArgumentParser( - description='Logstash IP address to Segment Filter Creator', - add_help=False, - usage='ip-to-segment-logstash.py ', - ) - parser.add_argument( - '-i', - '--input', - dest='jsonInput', - metavar='', - type=str, - nargs='*', - default='', - help='JSON network mapping file(s)', - ) - parser.add_argument( - '-o', - '--output', - dest='output', - metavar='', - type=str, - default='-', - help='Output file', - ) - parser.add_argument( - '-t', - '--tags', - dest='tagChecking', - type=str2bool, - nargs='?', - const=True, - default=False, - help=f"Generate check for required tags based on {JSON_MAP_KEY_TAG} attribute", - ) - try: - parser.error = parser.exit - args = parser.parse_args() - except SystemExit: - parser.print_help() - exit(2) - - # read each input file into its own list - mixedEntries = [] - - for inFile in args.jsonInput: - try: - tmpMixedEntries = json.load(open(inFile, 'r')) - if isinstance(tmpMixedEntries, list): - mixedEntries.extend(tmpMixedEntries) - except: - pass - - if len(mixedEntries) > 0: - - filterId = 0 - addedFields = set() - - outFile = open(args.output, 'w+') if (args.output and args.output != '-') else sys.stdout - try: - print('filter {', file=outFile) - print("", file=outFile) - print(" # this file was automatically generated by {}".format(os.path.basename(__file__)), file=outFile) - print("", file=outFile) - - # process segment mappings into a dictionary of two dictionaries of lists (one for devices, one for segments) - # eg., tagListMap[required tag name][DEVICE_LIST_IDX|SEGMENT_LIST_IDX][network segment name] = [172.16.0.0/12, 192.168.0.0/24, 10.0.0.41] - tagListMap = defaultdict(lambda: [defaultdict(list), defaultdict(list)]) - - # handle mixed entries from the JSON-formatted file - for entry in mixedEntries: - - # the entry must at least contain type, address, name; may optionally contain tag - if ( - isinstance(entry, dict) - and all(key in entry for key in (JSON_MAP_KEY_TYPE, JSON_MAP_KEY_NAME, JSON_MAP_KEY_ADDR)) - and entry[JSON_MAP_KEY_TYPE] in (JSON_MAP_TYPE_SEGMENT, JSON_MAP_TYPE_DEVICE) - and (len(entry[JSON_MAP_KEY_NAME]) > 0) - and (len(entry[JSON_MAP_KEY_ADDR]) > 0) - ): - - addressList = [] - networkList = [] - - tagReq = ( - entry[JSON_MAP_KEY_TAG] - if args.tagChecking and (JSON_MAP_KEY_TAG in entry) and (len(entry[JSON_MAP_KEY_TAG]) > 0) - else UNSPECIFIED_TAG - ) - - # account for comma-separated multiple addresses per 'address' value - for addr in ''.join(entry[JSON_MAP_KEY_ADDR].split()).split(','): - - if entry[JSON_MAP_KEY_TYPE] == JSON_MAP_TYPE_SEGMENT: - # potentially interpret address as a CIDR-formatted subnet - try: - networkList.append( - str(ipaddress.ip_network(addr)).lower() - if ('/' in addr) - else str(ipaddress.ip_address(addr)).lower() - ) - except ValueError: - eprint('"{}" is not a valid IP address, ignoring'.format(addr)) - - else: - # should be an IP or MAC address - try: - # see if it's an IP address - addressList.append(str(ipaddress.ip_address(addr)).lower()) - except ValueError: - # see if it's a MAC address - if re.match(macAddrRegex, addr): - # prepend _ temporarily to distinguish a mac address - addressList.append("_{}".format(addr.replace('-', ':').lower())) - else: - eprint('"{}" is not a valid IP or MAC address, ignoring'.format(ip)) - - if len(networkList) > 0: - tagListMap[tagReq][SEGMENT_LIST_IDX][entry[JSON_MAP_KEY_NAME]].extend(networkList) - - if len(addressList) > 0: - tagListMap[tagReq][DEVICE_LIST_IDX][entry[JSON_MAP_KEY_NAME]].extend(addressList) - - # go through the lists of segments/devices, which will now be organized by required tag first, then - # segment/device name, then the list of addresses - for tag, nameMaps in tagListMap.items(): - print("", file=outFile) - - # if a tag name is specified, print the IF statement verifying the tag's presence - if tag != UNSPECIFIED_TAG: - print(' if ("{}" in [tags]) {{'.format(tag), file=outFile) - try: - - # for the device(s) to be checked, create two filters, one for source IP|MAC and one for dest IP|MAC - for device, addrList in nameMaps[DEVICE_LIST_IDX].items(): - - # ip addresses mapped to device - ipList = list(set([a for a in addrList if not a.startswith('_')])) - if len(ipList) >= 1: - for source in ['source', 'destination']: - filterId += 1 - newFieldName = "".join([f"[{x}]" for x in [source, "device", "name"]]) - print("", file=outFile) - print( - ' if ([{}][ip]) and ({}) {{ '.format( - source, ' or '.join(['([{}][ip] == "{}")'.format(source, ip) for ip in ipList]) - ), - file=outFile, - ) - print( - ' mutate {{ id => "mutate_add_autogen_{}_ip_device_{}"'.format( - source, filterId - ), - file=outFile, - ) - print( - ' add_field => {{ "{}" => "{}" }}'.format(newFieldName, device), - file=outFile, - ) - print(" }", file=outFile) - print(" }", file=outFile) - addedFields.add(newFieldName) - - # mac addresses mapped to device - macList = list(set([a for a in addrList if a.startswith('_')])) - if len(macList) >= 1: - for source in ['source', 'destination']: - filterId += 1 - newFieldName = "".join([f"[{x}]" for x in [source, "device", "name"]]) - print("", file=outFile) - print( - ' if ([{}][mac]) and ({}) {{ '.format( - source, - ' or '.join(['([{}][mac] == "{}")'.format(source, mac[1:]) for mac in macList]), - ), - file=outFile, - ) - print( - ' mutate {{ id => "mutate_add_autogen_{}_mac_device_{}"'.format( - source, filterId - ), - file=outFile, - ) - print( - ' add_field => {{ "{}" => "{}" }}'.format(newFieldName, device), - file=outFile, - ) - print(" }", file=outFile) - print(" }", file=outFile) - addedFields.add(newFieldName) - - # for the segment(s) to be checked, create two cidr filters, one for source IP and one for dest IP - for segmentName, ipList in nameMaps[SEGMENT_LIST_IDX].items(): - ipList = list(set(ipList)) - for source in ['source', 'destination']: - filterId += 1 - # ip addresses/ranges mapped to network segment names - newFieldName = "".join([f"[{x}]" for x in [source, "segment", "name"]]) - print("", file=outFile) - print(" if ([{}][ip]) {{ cidr {{".format(source), file=outFile) - print(' id => "cidr_autogen_{}_segment_{}"'.format(source, filterId), file=outFile) - print(' address => [ "%{{[{}][ip]}}" ]'.format(source), file=outFile) - print( - ' network => [ {} ]'.format(', '.join('"{}"'.format(ip) for ip in ipList)), - file=outFile, - ) - print( - ' add_field => {{ "{}" => "{}" }}'.format(newFieldName, segmentName), file=outFile - ) - print(" } }", file=outFile) - addedFields.add("{}".format(newFieldName)) - - finally: - # if a tag name is specified, close the IF statement verifying the tag's presence - if tag != UNSPECIFIED_TAG: - print("", file=outFile) - print(' }} # end (if "{}" in [tags])'.format(tag), file=outFile) - - finally: - # deduplicate any added fields - if addedFields: - print("", file=outFile) - print(' # deduplicate any added fields', file=outFile) - for field in list(itertools.product(['source', 'destination'], ['device', 'segment'], ['name'])): - newFieldName = "".join([f"[{x}]" for x in [field[0], field[1], field[2]]]) - if newFieldName in addedFields: - print("", file=outFile) - print(' if ({}) {{ '.format(newFieldName), file=outFile) - print( - ' ruby {{ id => "ruby{}deduplicate"'.format( - ''.join(c for c, _ in itertools.groupby(re.sub('[^0-9a-zA-Z]+', '_', newFieldName))) - ), - file=outFile, - ) - print(' code => "', file=outFile) - print(" fieldVals = event.get('{}')".format(newFieldName), file=outFile) - print( - " if fieldVals.kind_of?(Array) then event.set('{}', fieldVals.uniq) end".format( - newFieldName - ), - file=outFile, - ) - print(' "', file=outFile) - print(' } }', file=outFile) - - # close out filter with ending } - print("", file=outFile) - print('} # end Filter', file=outFile) - - if outFile is not sys.stdout: - outFile.close() - - -if __name__ == '__main__': - main() diff --git a/logstash/scripts/ja3_build_list.py b/logstash/scripts/ja3_build_list.py index 42ec77f71..2ff1ab966 100755 --- a/logstash/scripts/ja3_build_list.py +++ b/logstash/scripts/ja3_build_list.py @@ -31,6 +31,7 @@ except NameError: FileNotFoundError = IOError + ################################################################################################### # print to stderr def eprint(*args, **kwargs): diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh index bee60878c..01f945272 100755 --- a/logstash/scripts/logstash-start.sh +++ b/logstash/scripts/logstash-start.sh @@ -17,9 +17,6 @@ export PIPELINES_CFG="/usr/share/logstash/config/pipelines.yml" # pipeline section in pipelines.yml (then delete 00_config.conf before starting) export PIPELINE_EXTRA_CONF_FILE="00_config.conf" -# files defining IP->host and MAC->host mapping -INPUT_MIXED_MAP="/usr/share/logstash/config/net-map.json" - # the name of the enrichment pipeline subdirectory under $PIPELINES_DIR ENRICHMENT_PIPELINE=${LOGSTASH_ENRICHMENT_PIPELINE:-"enrichment"} @@ -31,10 +28,6 @@ export OPENSEARCH_PIPELINE_ADDRESS_INTERNAL=${LOGSTASH_OPENSEARCH_PIPELINE_ADDRE export OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL=${LOGSTASH_OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL:-"external-os"} OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES=${LOGSTASH_OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES:-"$OPENSEARCH_PIPELINE_ADDRESS_INTERNAL,$OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL"} -# ip-to-segment-logstash.py translates $INPUT_MIXED_MAP into this logstash filter file -NETWORK_MAP_OUTPUT_FILTER="$PIPELINES_DIR"/"$ENRICHMENT_PIPELINE"/16_host_segment_filters.conf -export NETWORK_MAP_ENRICHMENT=${LOGSTASH_NETWORK_MAP_ENRICHMENT:-"true"} - # output plugin configuration for primary and secondary opensearch destinations OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"} OPENSEARCH_SECONDARY=${OPENSEARCH_SECONDARY:-"false"} @@ -42,8 +35,8 @@ OPENSEARCH_SECONDARY=${OPENSEARCH_SECONDARY:-"false"} OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"} OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION:-"false"} -OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"} -OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE=${OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE:-"/var/local/opensearch.secondary.curlrc"} +OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.primary.curlrc"} +OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE=${OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.secondary.curlrc"} [[ "$OPENSEARCH_SECONDARY" != "true" ]] && OPENSEARCH_SECONDARY_URL= export OPENSEARCH_SECONDARY_URL @@ -76,10 +69,6 @@ find "$PIPELINES_DIR" -mindepth 1 -maxdepth 1 -type d -print0 2>/dev/null | sort fi ' -# create filters for network segment and host mapping in the enrichment directory -rm -f "$NETWORK_MAP_OUTPUT_FILTER" -[[ "$NETWORK_MAP_ENRICHMENT" == "true" ]] && /usr/local/bin/ip-to-segment-logstash.py --input "$INPUT_MIXED_MAP" -o "$NETWORK_MAP_OUTPUT_FILTER" - if [[ -z "$OPENSEARCH_SECONDARY_URL" ]]; then # external ES host destination is not specified, remove external destination from enrichment pipeline output OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES="$(echo "$OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES" | sed "s/,[[:blank:]]*$OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL//")" @@ -95,7 +84,7 @@ OPENSSL_USER= OPENSSL_PASSWORD= if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then pushd "$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" >/dev/null 2>&1 - NEW_USER_PASSWORD="$(python3 -c "import malcolm_common; result=malcolm_common.ParseCurlFile('$OPENSEARCH_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")" + NEW_USER_PASSWORD="$(python3 -c "import malcolm_utils; result=malcolm_utils.ParseCurlFile('$OPENSEARCH_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")" OPENSSL_USER="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f1)" OPENSSL_PASSWORD="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f2-)" popd >/dev/null 2>&1 @@ -105,7 +94,7 @@ OPENSSL_SECONDARY_USER= OPENSSL_SECONDARY_PASSWORD= if [[ "$OPENSEARCH_SECONDARY" == "true" ]] && [[ -r "$OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE" ]]; then pushd "$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" >/dev/null 2>&1 - NEW_SECONDARY_USER_PASSWORD="$(python3 -c "import malcolm_common; result=malcolm_common.ParseCurlFile('$OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")" + NEW_SECONDARY_USER_PASSWORD="$(python3 -c "import malcolm_utils; result=malcolm_utils.ParseCurlFile('$OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")" OPENSSL_SECONDARY_USER="$(echo "$NEW_SECONDARY_USER_PASSWORD" | cut -d'|' -f1)" OPENSSL_SECONDARY_PASSWORD="$(echo "$NEW_SECONDARY_USER_PASSWORD" | cut -d'|' -f2-)" popd >/dev/null 2>&1 @@ -131,6 +120,9 @@ find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_O # import trusted CA certificates if necessary /usr/local/bin/jdk-cacerts-auto-import.sh || true +# bootstrap keystore file if necessary +/usr/local/bin/keystore-bootstrap.sh || true + # logstash may wish to modify logstash.yml based on some environment variables (e.g., # pipeline.workers), so copy the original onto from the image over the "working copy" before start [[ -r /usr/share/logstash/config/logstash.orig.yml ]] && \ diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index 8671bc72a..9e02a58bc 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -98,16 +98,17 @@ if [ -d "$WORKDIR" ]; then MALCOLM_DEST_DIR="$WORKDIR/work/$IMAGE_NAME-Live-Build/config/includes.chroot/etc/skel/Malcolm" mkdir -p "$MALCOLM_DEST_DIR/arkime-logs/" mkdir -p "$MALCOLM_DEST_DIR/arkime-raw/" + mkdir -p "$MALCOLM_DEST_DIR/config/" mkdir -p "$MALCOLM_DEST_DIR/filebeat/certs/" mkdir -p "$MALCOLM_DEST_DIR/htadmin/" mkdir -p "$MALCOLM_DEST_DIR/logstash/certs/" mkdir -p "$MALCOLM_DEST_DIR/logstash/maps/" - mkdir -p "$MALCOLM_DEST_DIR/netbox/env/" mkdir -p "$MALCOLM_DEST_DIR/netbox/media/" mkdir -p "$MALCOLM_DEST_DIR/netbox/postgres/" mkdir -p "$MALCOLM_DEST_DIR/netbox/redis/" mkdir -p "$MALCOLM_DEST_DIR/nginx/ca-trust/" mkdir -p "$MALCOLM_DEST_DIR/nginx/certs/" + mkdir -p "$MALCOLM_DEST_DIR/kubernetes/" mkdir -p "$MALCOLM_DEST_DIR/opensearch-backup/" mkdir -p "$MALCOLM_DEST_DIR/opensearch/nodes/" mkdir -p "$MALCOLM_DEST_DIR/pcap/processed/" @@ -138,12 +139,17 @@ if [ -d "$WORKDIR" ]; then ln -s ./control.py status ln -s ./control.py stop ln -s ./control.py wipe + ln -s ./install.py configure popd >/dev/null 2>&1 + cp ./config/*.example "$MALCOLM_DEST_DIR/config/" cp ./scripts/malcolm_common.py "$MALCOLM_DEST_DIR/scripts/" + cp ./scripts/malcolm_kubernetes.py "$MALCOLM_DEST_DIR/scripts/" + cp ./scripts/malcolm_utils.py "$MALCOLM_DEST_DIR/scripts/" + cp ./kubernetes/*.* "$MALCOLM_DEST_DIR/kubernetes/" + grep -v "^#" ./kubernetes/.gitignore | xargs -r -I XXX rm -f "$MALCOLM_DEST_DIR/kubernetes/XXX" cp ./logstash/certs/*.conf "$MALCOLM_DEST_DIR/logstash/certs/" cp ./logstash/maps/malcolm_severity.yaml "$MALCOLM_DEST_DIR/logstash/maps/" cp -r ./netbox/config/ "$MALCOLM_DEST_DIR/netbox/" - cp ./netbox/env/netbox.env.example "$MALCOLM_DEST_DIR/netbox/env/" touch "$MALCOLM_DEST_DIR"/firstrun popd >/dev/null 2>&1 @@ -177,6 +183,7 @@ if [ -d "$WORKDIR" ]; then # copy shared scripts and some branding stuff mkdir -p ./config/includes.chroot/usr/local/bin/ rsync -a "$SCRIPT_PATH/../shared/bin/" ./config/includes.chroot/usr/local/bin/ + cp "$SCRIPT_PATH/../scripts/malcolm_utils.py" ./config/includes.chroot/usr/local/bin/ chown -R root:root ./config/includes.chroot/usr/local/bin/ mkdir -p ./config/includes.chroot/usr/share/images/desktop-base/ diff --git a/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot b/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot index 48608cb18..605e90427 100755 --- a/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot @@ -5,4 +5,7 @@ export LANG=C.UTF-8 # python 3 pip3 install --no-compile --no-cache-dir --force-reinstall --upgrade \ - debinterface \ No newline at end of file + debinterface \ + kubernetes \ + python-dotenv \ + ruamel.yaml \ No newline at end of file diff --git a/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot b/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot index aebae33a1..02879baec 100755 --- a/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot @@ -115,3 +115,21 @@ chmod 755 /usr/local/bin/step chown root:root /usr/local/bin/step rm -rf /tmp/step* ### + +# stern +RELEASE_URL="https://api.github.com/repos/stern/stern/releases/latest" +RELEASE_FILE_REGEX="_linux_amd64\\\.tar\\\.gz$" +cd /tmp +mkdir -p ./stern +curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$(curl "${GITHUB_API_CURL_ARGS[@]}" "$RELEASE_URL" | jq '.assets_url' | tr -d '"')" | jq ".[] | select(.browser_download_url|test(\"$RELEASE_FILE_REGEX\")) | .browser_download_url" | tr -d '"')" | tar xzf - -C ./stern +mv ./stern/stern /usr/local/bin/stern +chmod 755 /usr/local/bin/stern +chown root:root /usr/local/bin/stern +rm -rf /tmp/stern* +### + +# kubectl +curl -sSL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/$(curl -sSL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" +chmod 755 /usr/local/bin/kubectl +chown root:root /usr/local/bin/kubectl +### diff --git a/malcolm-iso/config/includes.chroot/etc/bash.bash_functions b/malcolm-iso/config/includes.chroot/etc/bash.bash_functions index 0a84bb064..f28514ab8 100644 --- a/malcolm-iso/config/includes.chroot/etc/bash.bash_functions +++ b/malcolm-iso/config/includes.chroot/etc/bash.bash_functions @@ -509,9 +509,9 @@ function malcolmmonitor () { select-pane -t 5 \; \ send-keys 'while true; do clear; free -m | head -n 2; sleep 60; done' C-m \; \ select-pane -t 6 \; \ - send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker-compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/agg/event.dataset?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' | head -n $(( (MAX_HEIGHT / 2) - 1 )) ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \ + send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker-compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg/event.dataset?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' | head -n $(( (MAX_HEIGHT / 2) - 1 )) ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \ select-pane -t 7 \; \ - send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker-compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/agg?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \ + send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker-compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \ split-window -v \; \ select-pane -t 8 \; \ send-keys "while true; do clear; find ~/Malcolm/zeek-logs/extract_files -type f | sed 's@.*/\(.*\)/.*@\1@' | sort | uniq -c | sort -nr; sleep 60; done" C-m \; \ diff --git a/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/panel/launcher-18/16343117498.desktop b/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/panel/launcher-18/16343117498.desktop index 74b317196..216c3b8a3 100644 --- a/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/panel/launcher-18/16343117498.desktop +++ b/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/panel/launcher-18/16343117498.desktop @@ -1,7 +1,7 @@ [Desktop Entry] Version=1.0 Name=Malcolm - User Management -Exec=/opt/firefox/firefox https://localhost:488/ +Exec=/opt/firefox/firefox https://localhost/auth/ Terminal=false X-MultipleArgs=false Type=Application diff --git a/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/panel/launcher-19/16343117417.desktop b/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/panel/launcher-19/16343117417.desktop deleted file mode 100644 index 95e27ad26..000000000 --- a/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/panel/launcher-19/16343117417.desktop +++ /dev/null @@ -1,12 +0,0 @@ -[Desktop Entry] -Version=1.0 -Name=Malcolm - Host and Subnet Name Mapping -Exec=/opt/firefox/firefox https://localhost/name-map-ui/ -Terminal=false -X-MultipleArgs=false -Type=Application -Icon=server -Categories=Network; -StartupWMClass=Firefox -StartupNotify=true -X-XFCE-Source=file:///usr/share/applications/malcolm-mapping.desktop diff --git a/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml b/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml index 9d0f3e6b6..a9613f2cf 100644 --- a/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml +++ b/malcolm-iso/config/includes.chroot/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml @@ -20,7 +20,6 @@ - @@ -97,11 +96,6 @@ - - - - - diff --git a/malcolm-iso/config/includes.chroot/etc/skel/.tmux.conf b/malcolm-iso/config/includes.chroot/etc/skel/.tmux.conf index 0ba442291..30e2eebb7 100644 --- a/malcolm-iso/config/includes.chroot/etc/skel/.tmux.conf +++ b/malcolm-iso/config/includes.chroot/etc/skel/.tmux.conf @@ -41,3 +41,5 @@ bind r source-file ~/.tmux.conf\; display "Reloaded conf." # Use vim keybindings in copy mode setw -g mode-keys vi +# don't increase the user count for every pane +set -g default-command "${SHELL}" diff --git a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-mapping.desktop b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-mapping.desktop deleted file mode 100644 index 1ec8d8648..000000000 --- a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-mapping.desktop +++ /dev/null @@ -1,11 +0,0 @@ -[Desktop Entry] -Version=1.0 -Name=Malcolm - Host and Subnet Name Mapping -Exec=/opt/firefox/firefox https://localhost/name-map-ui/ -Terminal=false -X-MultipleArgs=false -Type=Application -Icon=server.png -Categories=Network; -StartupWMClass=Firefox -StartupNotify=true diff --git a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-users.desktop b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-users.desktop index ea603f854..411365af7 100644 --- a/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-users.desktop +++ b/malcolm-iso/config/includes.chroot/usr/share/applications/malcolm-users.desktop @@ -1,6 +1,6 @@ Version=1.0 Name=Malcolm - User Management -Exec=/opt/firefox/firefox https://localhost:488/ +Exec=/opt/firefox/firefox https://localhost/auth/ Terminal=false X-MultipleArgs=false Type=Application diff --git a/malcolm-iso/config/package-lists/python.list.chroot b/malcolm-iso/config/package-lists/python.list.chroot index 2cf6d89cf..02ceb6d7a 100644 --- a/malcolm-iso/config/package-lists/python.list.chroot +++ b/malcolm-iso/config/package-lists/python.list.chroot @@ -7,5 +7,4 @@ python3-psutil python3-pycryptodome python3-dialog python3-requests -python3-ruamel.yaml python3-yaml \ No newline at end of file diff --git a/name-map-ui/config/fpm-pool.conf b/name-map-ui/config/fpm-pool.conf deleted file mode 100644 index a3a6b288f..000000000 --- a/name-map-ui/config/fpm-pool.conf +++ /dev/null @@ -1,56 +0,0 @@ -[global] -; Log to /dev/fd/1 for docker -error_log = /dev/fd/1 - -[www] -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on -; a specific port; -; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses -; (IPv6 and IPv4-mapped) on a specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. -listen = 127.0.0.1:9000 - -; Enable status page -pm.status_path = /fpm-status - -; Ondemand process manager -pm = ondemand - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. The below defaults are based on a server without much resources. Don't -; forget to tweak pm.* to fit your needs. -; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' -; Note: This value is mandatory. -pm.max_children = 100 - -; The number of seconds after which an idle process will be killed. -; Note: Used only when pm is set to 'ondemand' -; Default Value: 10s -pm.process_idle_timeout = 10s; - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -pm.max_requests = 1000 - -; Make sure the FPM workers can reach the environment variables for configuration -clear_env = no - -; Catch output from PHP -catch_workers_output = yes - -; Remove the 'child 10 said into stderr' prefix in the log and only show the actual message -decorate_workers_output = no - -; Enable ping page to use in healthcheck -ping.path = /fpm-ping diff --git a/name-map-ui/config/nginx.conf b/name-map-ui/config/nginx.conf deleted file mode 100644 index b93d077a4..000000000 --- a/name-map-ui/config/nginx.conf +++ /dev/null @@ -1,92 +0,0 @@ -worker_processes 1; -error_log stderr warn; -pid /tmp/nginx.pid; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - # Define custom log format to include reponse times - log_format main_timed '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for" ' - '$request_time $upstream_response_time $pipe $upstream_cache_status'; - - access_log /var/log/nginx/access.log main_timed; - error_log /var/log/nginx/error.log notice; - - keepalive_timeout 65; - - # Write temporary files to /tmp so they can be created as a non-privileged user - client_body_temp_path /tmp/client_temp; - proxy_temp_path /tmp/proxy_temp_path; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - # Default server definition - server { - listen 8080 default_server; - server_name _; - - sendfile off; - - root /var/www/html; - index index.php index.html; - - location / { - # First attempt to serve request as file, then - # as directory, then fall back to index.php - try_files $uri $uri/ /index.php?q=$uri&$args; - } - - location ~* maps/.+\.(txt|json)$ { - expires -1; - add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - } - - # Redirect server error pages to the static page /50x.html - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /var/lib/nginx/html; - } - - # Pass the PHP scripts to PHP-FPM listening on 127.0.0.1:9000 - location ~ \.php$ { - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass 127.0.0.1:9000; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_index index.php; - include fastcgi_params; - } - - location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ { - expires 5d; - } - - # Deny access to . files, for security - location ~ /\. { - log_not_found off; - deny all; - } - - # Allow fpm ping and status from localhost - location ~ ^/(fpm-status|fpm-ping)$ { - access_log off; - allow 127.0.0.1; - deny all; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include fastcgi_params; - fastcgi_pass 127.0.0.1:9000; - } - } - - # Include other server configs - include /etc/nginx/conf.d/*.conf; -} diff --git a/name-map-ui/config/php.ini b/name-map-ui/config/php.ini deleted file mode 100644 index d91b95891..000000000 --- a/name-map-ui/config/php.ini +++ /dev/null @@ -1,7 +0,0 @@ -[PHP] -file_uploads = On -upload_max_filesize = 64M -max_file_uploads = 4 - -[Date] -date.timezone="UTC" diff --git a/name-map-ui/config/supervisor_logstash_ctl.conf b/name-map-ui/config/supervisor_logstash_ctl.conf deleted file mode 100644 index 700b4cfae..000000000 --- a/name-map-ui/config/supervisor_logstash_ctl.conf +++ /dev/null @@ -1,10 +0,0 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -[supervisord] -nodaemon=true -logfile=/dev/null -logfile_maxbytes=0 -pidfile=/tmp/supervisord-logstash.pid - -[supervisorctl] -serverurl=http://logstash:9001 diff --git a/name-map-ui/config/supervisor_netbox_ctl.conf b/name-map-ui/config/supervisor_netbox_ctl.conf deleted file mode 100644 index e354667cb..000000000 --- a/name-map-ui/config/supervisor_netbox_ctl.conf +++ /dev/null @@ -1,10 +0,0 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -[supervisord] -nodaemon=true -logfile=/dev/null -logfile_maxbytes=0 -pidfile=/tmp/supervisord-netbox.pid - -[supervisorctl] -serverurl=http://netbox:9001 diff --git a/name-map-ui/config/supervisord.conf b/name-map-ui/config/supervisord.conf deleted file mode 100644 index 00da1bfa9..000000000 --- a/name-map-ui/config/supervisord.conf +++ /dev/null @@ -1,72 +0,0 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -[unix_http_server] -file=/tmp/supervisor-main.sock ; (the path to the socket file) -chmod=0700 - -[supervisord] -nodaemon=true -logfile=/dev/null -logfile_maxbytes=0 -pidfile=/tmp/supervisor-main.pid - -[rpcinterface:supervisor] -supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface - -[supervisorctl] -serverurl=unix:///tmp/supervisor-main.sock - -[program:php-fpm] -command=/usr/sbin/php-fpm81 -F -stopasgroup=true -killasgroup=true -stdout_logfile=/dev/fd/1 -stdout_logfile_maxbytes=0 -redirect_stderr=true -autorestart=false -startretries=0 - -[program:nginx] -command=/usr/sbin/nginx -g 'daemon off;' -stopasgroup=true -killasgroup=true -stdout_logfile=/dev/fd/1 -stdout_logfile_maxbytes=0 -redirect_stderr=true -autorestart=false -startretries=0 - -[program:logaccess] -command=/usr/bin/tail -F /var/log/nginx/access.log -startsecs=10 -startretries=2000000000 -stopasgroup=true -killasgroup=true -stdout_logfile=/dev/fd/1 -stdout_logfile_maxbytes=0 -stderr_logfile=/dev/null -stdout_logfile_maxbytes=0 -redirect_stderr=false - -[program:logerrors] -command=/usr/bin/tail -F /var/log/nginx/error.log -startsecs=10 -startretries=2000000000 -stopasgroup=true -killasgroup=true -stdout_logfile=/dev/fd/1 -stdout_logfile_maxbytes=0 -stderr_logfile=/dev/null -stdout_logfile_maxbytes=0 -redirect_stderr=false - -[program:watch-upload] -command=/bin/bash -c "sleep 15 && /usr/local/bin/name-map-save-watch.sh" -startsecs=20 -startretries=1 -stopasgroup=true -killasgroup=true -directory=/var/www/html/upload -stdout_logfile=/dev/fd/1 -stdout_logfile_maxbytes=0 -redirect_stderr=true diff --git a/name-map-ui/scripts/name-map-save-watch.sh b/name-map-ui/scripts/name-map-save-watch.sh deleted file mode 100755 index 254a47c91..000000000 --- a/name-map-ui/scripts/name-map-save-watch.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -PROCESS_DIR=${NAME_MAP_SAVE_DIR:-/var/www/html/upload/} -DEST_MAP=${NAME_MAP_JSON:-/var/www/html/maps/net-map.json} - -inotifywait -m -e close_write --format '%w%f' "${PROCESS_DIR}" | while read NEWFILE -do - sleep 0.1 - # verify that the file is json|txt and that it is valid JSON - FILEMIME=$(file -b --mime-type "$NEWFILE") - if ( echo "$FILEMIME" | grep -q -e "\(application/json\|text/plain\)" ) && ( python3 -mjson.tool "$NEWFILE" >/dev/null 2>&1 ); then - # move the new net-map.json file into its final location - # (done like this with "tee" since we may not be able to cp overwrite a volume-mounted file) - (>/dev/null tee "$DEST_MAP" < "$NEWFILE") && echo "\"$NEWFILE\" -> \"$DEST_MAP\"" - rm -f "$NEWFILE" - else - # invalid or unhandled file type uploaded, delete it - (>&2 rm -f "$NEWFILE") && echo "Removed \"$NEWFILE\" (\"$FILEMIME\"): invalid file type or format" - fi -done diff --git a/name-map-ui/site/index.html b/name-map-ui/site/index.html deleted file mode 100644 index 4152e343b..000000000 --- a/name-map-ui/site/index.html +++ /dev/null @@ -1,466 +0,0 @@ - - - - - - - - - - - - - - - - Host and Network Segment Name Mapping - - - - -
-
-
- -

Host and Network Segment Name Mapping

-
- - - - - - - - - - - - - - - - - - - - - - - - -
TypeAddressName - -
- - - - - - - - - - -
- - - - - - - - - -
-
-
-
-
- - - - - - \ No newline at end of file diff --git a/name-map-ui/site/mapping.css b/name-map-ui/site/mapping.css deleted file mode 100644 index a153aea42..000000000 --- a/name-map-ui/site/mapping.css +++ /dev/null @@ -1,229 +0,0 @@ -/* Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. */ - -html { - font-family: sans-serif; - line-height: 1.15; -} - -body { - margin: 0; - font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; - font-size: 0.9375rem; - font-weight: 400; - line-height: 1.5; - color: #cecece; - text-align: left; - background-color: #272B30; -} - -body, -div, -dl, -dt, -dd, -ul, -ol, -li, -h1, -h2, -h3, -h4, -h5, -h6, -pre, -form, -fieldset, -input, -textarea, -p, -blockquote, -th, -td { - margin-top: 0; - margin-bottom: 0.5rem -} - -table { - border-collapse: collapse; - border-spacing: 0; -} - -fieldset, -img { - border: 0; -} - -img.center { - display: block; - margin-left: auto; - margin-right: auto; - width: 50%; -} - -ol, -ul, -dl { - margin-top: 0; - margin-bottom: 0.5rem -} - -caption, -th { - text-align: left; -} - -header { - float: left; - margin-bottom: 20px; - width: 100%; -} - -address { - margin-bottom: 1rem; - line-height: inherit -} - -#container { - width: 800px; - margin-top: auto; - margin-bottom: auto; - margin-right: auto; - margin-left: auto; -} - -.c1 { - width: 800px; - float: left; -} - -.c2 { - width: 355px; - float: left; -} - -.c3 { - width: 235px; - float: left; -} - -p { - margin-top: 0; - margin-bottom: 1rem -} - -h1 { - letter-spacing: 1px; - text-align: center; - text-shadow: #262729 0 -1px 0; -} - -h2 { - color: #bbb; - text-shadow: #262729 0 -1px 0; - font-weight: 300; - text-align: center; -} - -input { - padding: 2px 10px; - border-radius: 10px; - border: solid 1px #555; - float: center; - margin-right: 10px; - margin-bottom: 15px; -} - -input:focus { - border: none; - outline: none; - color: #007bff; - font-weight: bold; - border-top: solid 1px #aaa; - border-right: solid 1px #e6e6e6; - border-bottom: solid 1px #e6e6e6; - border-left: solid 1px #aaa; -} - -table { - width: 100%; - margin-bottom: 10px; -} - -th { - background-color: rgba(23, 25, 28, .8); - border: solid 1px rgba(255, 255, 255, .1); - padding: 10px 10px; - text-align: center; - font-weight: bold; - color: #ddd; - width: auto; -} - -tr:hover { - background-color: #454c54; -} - -td { - padding: 10px 10px; - border: solid 1px rgba(255, 255, 255, .1); - width: auto; -} - -td.update, -td.remove, -td.type { - text-align: center; -} - -td.address { - font-family: monospace; -} - -button.add-btn, -button.update-btn, -button.cancel-btn, -button.edit-item-btn, -button.remove-item-btn { - font-size: 1.33rem; - border: 2px #ddd; - border-radius: 4px; -} - -button.save-btn, -button.export-btn, -button.import-btn, -button.restart-btn { - font-size: 0.9rem; -} - -#container.mapping-page { - margin-top: 10px; -} - -#mapping { - margin-bottom: 20px; -} - -#mapping td.update, -#mapping td.remove { - width: 130px; -} - -#mapping td.add { - width: 300px; - text-align: center; -} - -#mapping td.foot { - text-align: center; -} - -#mapping input { - width: 130px; - margin: 0; - border-radius: 5px; -} - -#mapping input.search { - width: 250px; -} \ No newline at end of file diff --git a/name-map-ui/site/restart-logstash.php b/name-map-ui/site/restart-logstash.php deleted file mode 100644 index ce04650f0..000000000 --- a/name-map-ui/site/restart-logstash.php +++ /dev/null @@ -1,7 +0,0 @@ -$output"; -} -?> diff --git a/name-map-ui/site/upload.html b/name-map-ui/site/upload.html deleted file mode 100644 index 01bdc734a..000000000 --- a/name-map-ui/site/upload.html +++ /dev/null @@ -1,8 +0,0 @@ - - -
- Choose a file to upload: - -
- - diff --git a/name-map-ui/site/upload.php b/name-map-ui/site/upload.php deleted file mode 100644 index 98f85246c..000000000 --- a/name-map-ui/site/upload.php +++ /dev/null @@ -1,57 +0,0 @@ - 67108864) { - throw new RuntimeException('Exceeded filesize limit'); - } - - // check upload MIME type - $finfo = new finfo(FILEINFO_MIME_TYPE); - $fmime = $finfo->file($_FILES['upfile']['tmp_name']); - if (false === $ext = array_search($fmime, - array('json' => 'application/json', - 'txt' => 'text/plain'), - true)) { - throw new RuntimeException(sprintf('Invalid file format: "%s"', $fmime)); - } - - // give file unique name based on sha - $ftmpname = $_FILES['upfile']['tmp_name']; - $fdstname = sprintf('./upload/%s.%s', - sha1_file($_FILES['upfile']['tmp_name']), - $ext); - if (!move_uploaded_file($ftmpname, $fdstname)) { - throw new RuntimeException(sprintf('Failed to move uploaded file ("%s" -> "%s")', $ftmpname, $fdstname)); - } - - echo 'Success'; - -} catch (RuntimeException $e) { - error_log ($e->getMessage()); - echo $e->getMessage(); -} - -?> \ No newline at end of file diff --git a/netbox/env/.gitignore b/netbox/env/.gitignore deleted file mode 100644 index 981ab9771..000000000 --- a/netbox/env/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -postgres.env -redis-cache.env -redis.env -netbox.env \ No newline at end of file diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py index 88f27b068..1f04b14b2 100755 --- a/netbox/scripts/netbox_init.py +++ b/netbox/scripts/netbox_init.py @@ -26,6 +26,7 @@ script_path = os.path.dirname(os.path.realpath(__file__)) orig_path = os.getcwd() + ################################################################################################### def get_iterable(x): if isinstance(x, Iterable) and not isinstance(x, str): @@ -36,7 +37,7 @@ def get_iterable(x): def is_ip_address(x): try: - ip = ipaddress.ip_address(x) + ipaddress.ip_address(x) return True except Exception: return False @@ -44,7 +45,7 @@ def is_ip_address(x): def is_ip_v4_address(x): try: - ip = ipaddress.IPv4Address(x) + ipaddress.IPv4Address(x) return True except Exception: return False @@ -52,7 +53,7 @@ def is_ip_v4_address(x): def is_ip_v6_address(x): try: - ip = ipaddress.IPv6Address(x) + ipaddress.IPv6Address(x) return True except Exception: return False @@ -60,7 +61,7 @@ def is_ip_v6_address(x): def is_ip_network(x): try: - ip = ipaddress.ip_network(x) + ipaddress.ip_network(x) return True except Exception: return False @@ -274,14 +275,14 @@ def main(): # wait for a good connection while args.wait: try: - sitesConnTest = [x.name for x in nb.dcim.sites.all()] + [x.name for x in nb.dcim.sites.all()] break except Exception as e: logging.info(f"{type(e).__name__}: {e}") logging.debug("retrying in a few seconds...") time.sleep(5) - ###### GROUPS ################################################################################################ + # GROUPS ##################################################################################################### DEFAULT_GROUP_NAMES = ( args.staffGroupName, args.defaultGroupName, @@ -303,7 +304,7 @@ def main(): except Exception as e: logging.error(f"{type(e).__name__} processing groups: {e}") - ####### PERMISSIONS ########################################################################################### + # PERMISSIONS ################################################################################################## DEFAULT_PERMISSIONS = { f'{args.staffGroupName}_permission': { 'name': f'{args.staffGroupName}_permission', @@ -531,7 +532,6 @@ def main(): with open(args.netMapFileName) as f: netMapJson = json.load(f) if netMapJson is not None: - # create new VRFs vrfPreExisting = {x.name: x for x in nb.ipam.vrfs.all()} logging.debug(f"VRFs (before): { {k:v.id for k, v in vrfPreExisting.items()} }") diff --git a/netbox/scripts/netbox_library_import.py b/netbox/scripts/netbox_library_import.py index 2e3a1abff..034ec0306 100644 --- a/netbox/scripts/netbox_library_import.py +++ b/netbox/scripts/netbox_library_import.py @@ -19,14 +19,13 @@ def slugFormat(name): - return re.sub('\W+', '-', name.lower()) + return re.sub(r'\W+', '-', name.lower()) YAML_EXTENSIONS = ['yml', 'yaml'] def getFiles(library_dir, vendors=None): - files = [] discoveredVendors = [] base_path = os.path.join(library_dir, 'device-types', '') @@ -91,7 +90,7 @@ def readYAMl(files, **kwargs): with open(file, 'r') as stream: try: data = yaml.safe_load(stream) - except yaml.YAMLError as exc: + except yaml.YAMLError: continue manufacturer = data['manufacturer'] data['manufacturer'] = {} @@ -107,7 +106,6 @@ def readYAMl(files, **kwargs): def read_yaml_modules(files, **kwargs): - slugs = kwargs.get('slugs', None) module_types = [] manufacturers = [] @@ -115,7 +113,7 @@ def read_yaml_modules(files, **kwargs): with open(file, 'r') as stream: try: data = yaml.safe_load(stream) - except yaml.YAMLError as exc: + except yaml.YAMLError: continue manufacturer = data['manufacturer'] data['manufacturer'] = {} @@ -147,7 +145,7 @@ def createManufacturers(vendors, nb, counter=None): if counter is not None: for man in manSuccess: counter.update({'manufacturer': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -169,7 +167,7 @@ def createInterfaces(interfaces, deviceType, nb, counter=None): if counter is not None: for intf in ifSuccess: counter.update({'updated': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -191,7 +189,7 @@ def create_module_interfaces(interfaces, module_type, nb, counter=None): if counter is not None: for intf in ifSuccess: counter.update({'module_port_added': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -213,12 +211,11 @@ def createConsolePorts(consoleports, deviceType, nb, counter=None): if counter is not None: for port in cpSuccess: counter.update({'updated': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass def create_module_console_ports(consoleports, module_type, nb, counter=None): - all_consoleports = {str(item): item for item in nb.dcim.console_port_templates.filter(moduletype_id=module_type)} need_consoleports = [] for consoleport in consoleports: @@ -236,7 +233,7 @@ def create_module_console_ports(consoleports, module_type, nb, counter=None): if counter is not None: for port in cpSuccess: counter.update({'module_port_added': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -258,7 +255,7 @@ def createPowerPorts(powerports, deviceType, nb, counter=None): if counter is not None: for pp in ppSuccess: counter.update({'updated': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -280,7 +277,7 @@ def create_module_power_ports(powerports, module_type, nb, counter=None): if counter is not None: for pp in ppSuccess: counter.update({'module_port_added': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -304,7 +301,7 @@ def createConsoleServerPorts(consoleserverports, deviceType, nb, counter=None): if counter is not None: for csp in cspSuccess: counter.update({'updated': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -328,7 +325,7 @@ def create_module_console_server_ports(consoleserverports, module_type, nb, coun if counter is not None: for csp in cspSuccess: counter.update({'module_port_added': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -358,7 +355,7 @@ def createFrontPorts(frontports, deviceType, nb, counter=None): if counter is not None: for fp in fpSuccess: counter.update({'updated': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -388,7 +385,7 @@ def create_module_front_ports(frontports, module_type, nb, counter=None): if counter is not None: for fp in fpSuccess: counter.update({'module_port_added': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -410,7 +407,7 @@ def createRearPorts(rearports, deviceType, nb, counter=None): if counter is not None: for rp in rpSuccess: counter.update({'updated': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -432,7 +429,7 @@ def create_module_rear_ports(rearports, module_type, nb, counter=None): if counter is not None: for rp in rpSuccess: counter.update({'module_port_added': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -454,7 +451,7 @@ def createDeviceBays(devicebays, deviceType, nb, counter=None): if counter is not None: for db in dbSuccess: counter.update({'updated': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -483,7 +480,7 @@ def create_module_bays(module_bays, device_type, nb, counter=None): if counter is not None: for module_bay in module_bay_res: counter.update({'updated': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -513,7 +510,7 @@ def createPowerOutlets(poweroutlets, deviceType, nb, counter=None): if counter is not None: for po in poSuccess: counter.update({'updated': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -556,7 +553,7 @@ def create_module_power_outlets(poweroutlets, module_type, nb, counter=None): if counter is not None: for po in poSuccess: counter.update({'module_port_added': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass @@ -570,7 +567,7 @@ def createDeviceTypes(deviceTypes, nb, counter=None): dt = nb.dcim.device_types.create(deviceType) if counter is not None: counter.update({'added': 1}) - except pynetbox.RequestError as e: + except pynetbox.RequestError: pass if "interfaces" in deviceType: @@ -621,7 +618,7 @@ def create_module_types(module_types, nb, counter=None): module_type_res = nb.dcim.module_types.create(curr_mt) if counter is not None: counter.update({'module_added': 1}) - except pynetbox.RequestError as exce: + except pynetbox.RequestError: pass # module_type_res = all_module_types[curr_mt['manufacturer']['slug']][curr_mt["model"]] @@ -652,7 +649,6 @@ def import_library(nb, library_dir): ) if library_dir is not None and os.path.isdir(library_dir): - files, vendors = getFiles(library_dir) deviceTypes = readYAMl(files) createManufacturers(vendors, nb, counter=cntr) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index d73d9c868..05a138c45 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -61,10 +61,6 @@ http { server logstash:9600; } - upstream name-map-ui { - server name-map-ui:8080; - } - upstream netbox { server netbox:8080; } @@ -73,15 +69,14 @@ http { server file-monitor:8440; } - # htadmin (htpasswd/user management) + # health check ("here I am") without authentication server { - listen 488; + listen 8443; include /etc/nginx/nginx_ssl_config.conf; location / { - proxy_pass http://htadmin; - proxy_redirect off; - proxy_set_header Host htadmin.malcolm.local; + add_header Content-Type text/plain; + return 200 'Malcolm\n'; } } @@ -90,20 +85,48 @@ http { listen 443; include /etc/nginx/nginx_ssl_config.conf; - # use either auth_basic or auth_ldap - include /etc/nginx/nginx_auth_rt.conf; + # favicon, logos, banners, etc. + include /etc/nginx/nginx_image_aliases.conf; + + # HTTP basic user management (doesn't use nginx_auth_rt as it does its own auth directly) + location /auth { + proxy_pass http://htadmin; + proxy_redirect off; + proxy_set_header Accept-Encoding ""; + proxy_set_header Host htadmin.malcolm.local; + rewrite ^/auth/?(.*) /$1 break; + subs_filter_types '*'; + subs_filter '(src|action|href)="([\w\.-]+\.(php|css|js))' '$1="/auth/$2' gir; + subs_filter 'href="styles/' 'href="/auth/styles/' gi; + subs_filter 'src="script/' 'src="/auth/script/' gi; + subs_filter '/fonts/glyphicons' '/auth/fonts/glyphicons' gi; + } + location ~* ^/(htadmin|admin_login)(\.php)\b(.*) { + proxy_pass http://htadmin/$1$2$3; + proxy_redirect off; + proxy_set_header Accept-Encoding ""; + proxy_set_header Host htadmin.malcolm.local; + subs_filter_types '*'; + subs_filter '(src|action|href)="([\w\.-]+\.(php|css|js))' '$1="/auth/$2' gir; + subs_filter 'href="styles/' 'href="/auth/styles/' gi; + subs_filter 'src="script/' 'src="/auth/script/' gi; + subs_filter '/fonts/glyphicons' '/auth/fonts/glyphicons' gi; + } # Malcolm readme location /readme { + include /etc/nginx/nginx_auth_rt.conf; root /usr/share/nginx/html; try_files $uri $uri/index.html; } # Malcolm file upload location /upload { + include /etc/nginx/nginx_auth_rt.conf; proxy_http_version 1.1; proxy_set_header Connection ""; - proxy_pass http://upload/; + rewrite ^/upload(.*)/?$ /$1 break; + proxy_pass http://upload; proxy_redirect off; proxy_set_header Host upload.malcolm.local; proxy_request_buffering off; @@ -111,9 +134,10 @@ http { client_max_body_size 50G; } location /server/php { + include /etc/nginx/nginx_auth_rt.conf; proxy_http_version 1.1; proxy_set_header Connection ""; - proxy_pass http://upload/server/php/; + proxy_pass http://upload/server/php; proxy_redirect off; proxy_set_header Host upload.malcolm.local; proxy_request_buffering off; @@ -123,6 +147,7 @@ http { # Logstash statistics location ~* ^/logstash\b(.*) { + include /etc/nginx/nginx_auth_rt.conf; proxy_pass http://logstash-stats/_node/stats$1; proxy_redirect off; proxy_set_header Host arkime.malcolm.local; @@ -130,7 +155,7 @@ http { # Arkime -> Dashboards shortcut location ~* ^/idark2dash(.*) { - + include /etc/nginx/nginx_auth_rt.conf; set $filter_start_time now-1d; if ($arg_start != '') { set $filter_start_time \'$arg_start\'; @@ -178,6 +203,7 @@ http { # already prepended /dashboards to match the server.basePath in OpenSearch Dashboards's YML config file location /dashboards { + include /etc/nginx/nginx_auth_rt.conf; proxy_pass http://dashboards; proxy_redirect off; proxy_set_header Host dashboards.malcolm.local; @@ -185,20 +211,14 @@ http { # offline region maps for dashboards location /world.geojson { + include /etc/nginx/nginx_auth_rt.conf; proxy_pass http://dashboards-maps; proxy_redirect off; proxy_set_header Host dashboards-helper.malcolm.local; } - # name-map-ui (UI for mapping names to network hosts and subnets) - location /name-map-ui { - proxy_pass http://name-map-ui/; - proxy_redirect off; - proxy_set_header Host name-map-ui.malcolm.local; - proxy_cache off; - } - location ~* ^/extracted-files\b(.*) { + include /etc/nginx/nginx_auth_rt.conf; proxy_pass http://extracted-file-http-server$1; proxy_redirect off; proxy_set_header Host file-monitor.malcolm.local; @@ -206,6 +226,7 @@ http { # netbox location /netbox { + include /etc/nginx/nginx_auth_rt.conf; proxy_pass http://netbox; proxy_redirect off; proxy_set_header Host netbox.malcolm.local; @@ -215,12 +236,10 @@ http { proxy_set_header X-Remote-Auth $authenticated_user; } - # favicon, logos, banners, etc. - include /etc/nginx/nginx_image_aliases.conf; - # Fix cyberchef JS module(s) # https://localhost/arkime/session/190924-KgO9H30qhdREw7ltsDXn1Rgp/modules/Regex.js location ~* ^/arkime/session/.*/(modules/.*\.js) { + include /etc/nginx/nginx_auth_rt.conf; proxy_hide_header Content-Type; proxy_set_header Content-Type "application/javascript"; add_header Content-Type "application/javascript"; @@ -236,13 +255,15 @@ http { # Malcolm API location /mapi { - proxy_pass http://api/; + include /etc/nginx/nginx_auth_rt.conf; + proxy_pass http://api; proxy_redirect off; proxy_set_header Host api.malcolm.local; } # Arkime location / { + include /etc/nginx/nginx_auth_rt.conf; proxy_pass https://arkime; proxy_ssl_verify off; proxy_redirect off; @@ -252,52 +273,6 @@ http { } } - # OpenSearch dashboards interface - server { - listen 5601; - include /etc/nginx/nginx_ssl_config.conf; - - # use either auth_basic or auth_ldap - include /etc/nginx/nginx_auth_rt.conf; - - # favicon, logos, banners, etc. - include /etc/nginx/nginx_image_aliases.conf; - - # Dashboards -> Arkime shortcut - location ~* /iddash2ark/(.*) { - rewrite ^.*/iddash2ark/(.*) /sessions?expression=($1) redirect; - proxy_pass https://arkime; - proxy_ssl_verify off; - proxy_redirect off; - proxy_set_header Host arkime.malcolm.local; - proxy_set_header http_auth_http_user $authenticated_user; - proxy_set_header Authorization ""; - } - - # Dashboards -> extracted file download - location ~* /dl-extracted-files/(.*) { - rewrite ^.*/dl-extracted-files/(.*) /extracted-files/$1 redirect; - proxy_pass http://extracted-file-http-server; - proxy_redirect off; - proxy_set_header Host file-monitor.malcolm.local; - } - - # already prepended /dashboards to match the server.basePath in OpenSearch Dashboards' YML config file - location /dashboards { - proxy_pass http://dashboards; - proxy_redirect off; - proxy_set_header Host dashboards.malcolm.local; - } - - # otherwise prepend /dashboards to match the server.basePath in OpenSearch Dashboards' YML config file - location / { - rewrite ^/(.*) /dashboards/$1; - proxy_pass http://dashboards; - proxy_redirect off; - proxy_set_header Host dashboards.malcolm.local; - } - } - # OpenSearch API server { listen 9200; diff --git a/nginx/nginx_auth_basic.conf b/nginx/nginx_auth_basic.conf index 42cc9d1f6..3dc64c678 100644 --- a/nginx/nginx_auth_basic.conf +++ b/nginx/nginx_auth_basic.conf @@ -1,3 +1,3 @@ auth_basic "Authentication Required"; -auth_basic_user_file /etc/nginx/.htpasswd; +auth_basic_user_file /etc/nginx/auth/htpasswd; set $authenticated_user $remote_user; diff --git a/nginx/nginx_readonly.conf b/nginx/nginx_readonly.conf index 5b4a7cc92..61e6b0012 100644 --- a/nginx/nginx_readonly.conf +++ b/nginx/nginx_readonly.conf @@ -53,6 +53,17 @@ http { server file-monitor:8440; } + # health check ("here I am") without authentication + server { + listen 8443; + include /etc/nginx/nginx_ssl_config.conf; + + location / { + add_header Content-Type text/plain; + return 200 'Malcolm\n'; + } + } + # Main web interface server { listen 443; @@ -168,7 +179,7 @@ http { # Malcolm API location /mapi { - proxy_pass http://api/; + proxy_pass http://api; proxy_redirect off; proxy_set_header Host api.malcolm.local; } diff --git a/nginx/scripts/docker_entrypoint.sh b/nginx/scripts/docker_entrypoint.sh index 8215af859..4d96735d7 100755 --- a/nginx/scripts/docker_entrypoint.sh +++ b/nginx/scripts/docker_entrypoint.sh @@ -38,7 +38,7 @@ NGINX_SSL_CONF=/etc/nginx/nginx_ssl_config.conf # a blank file just to use as an "include" placeholder for the nginx's LDAP config when LDAP is not used NGINX_BLANK_CONF=/etc/nginx/nginx_blank.conf -# "include" file for auth_basic, prompt, and .htpasswd location +# "include" file for auth_basic, prompt, and htpasswd location NGINX_BASIC_AUTH_CONF=/etc/nginx/nginx_auth_basic.conf # "include" file for auth_ldap, prompt, and "auth_ldap_servers" name @@ -92,7 +92,7 @@ if (( ${#CA_FILES} )) ; then # variables for nginx config NGINX_LDAP_CA_PATH_LINE=" ssl_ca_dir $CA_TRUST_RUN_DIR;" - ( [[ -n $NGINX_LDAP_TLS_STUNNEL_CHECK_HOST ]] || [[ -n $NGINX_LDAP_TLS_STUNNEL_CHECK_IP ]] ) && NGINX_LDAP_CHECK_REMOTE_CERT_LINE=" ssl_check_cert on;" || NGINX_LDAP_CHECK_REMOTE_CERT_LINE=" ssl_check_cert chain;" + ( [[ -n $NGINX_LDAP_TLS_STUNNEL_CHECK_HOST ]] || [[ -n $NGINX_LDAP_TLS_STUNNEL_CHECK_IP ]] ) && NGINX_LDAP_CHECK_REMOTE_CERT_LINE=" ssl_check_cert on;" || NGINX_LDAP_CHECK_REMOTE_CERT_LINE=" ssl_check_cert off;" fi popd >/dev/null 2>&1 fi @@ -237,5 +237,14 @@ EOF fi # basic vs. ldap +if [[ ! -f /etc/nginx/auth/htpasswd ]] && [[ -f /tmp/auth/default/htpasswd ]]; then + cp /tmp/auth/default/htpasswd /etc/nginx/auth/htpasswd + [[ -n ${PUID} ]] && chown -f ${PUID} /etc/nginx/auth/htpasswd + [[ -n ${PGID} ]] && chown -f :${PGID} /etc/nginx/auth/htpasswd + rm -rf /tmp/auth/* || true +fi + +rm -rf /var/log/nginx/* || true + # start supervisor (which will spawn nginx, stunnel, etc.) or whatever the default command is exec "$@" diff --git a/pcap-monitor/scripts/watch-pcap-uploads-folder.py b/pcap-monitor/scripts/watch-pcap-uploads-folder.py new file mode 100755 index 000000000..d526589ad --- /dev/null +++ b/pcap-monitor/scripts/watch-pcap-uploads-folder.py @@ -0,0 +1,260 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. + +################################################################################################### +# Monitor a directory for PCAP files for processing (by publishing their filenames to a ZMQ socket) +# +# Run the script with --help for options +################################################################################################### + +import argparse +import glob +import logging +import magic +import os +import pathlib +import shutil +import signal +import sys +import time + +import malcolm_utils +from malcolm_utils import eprint, str2bool, remove_suffix +import watch_common + +################################################################################################### +scriptName = os.path.basename(__file__) +scriptPath = os.path.dirname(os.path.realpath(__file__)) +origPath = os.getcwd() +shuttingDown = [False] + + +################################################################################################### +# handle sigint/sigterm and set a global shutdown variable +def shutdown_handler(signum, frame): + global shuttingDown + shuttingDown[0] = True + + +################################################################################################### +def file_processor(pathname, **kwargs): + uid = kwargs["uid"] + gid = kwargs["gid"] + pcapDir = kwargs["destination"] + zeekDir = kwargs["zeek"] + logger = kwargs["logger"] if "logger" in kwargs and kwargs["logger"] else logging + + logger.info(f"{scriptName}:\t👓\t{pathname}") + + if os.path.isfile(pathname): + time.sleep(0.1) + try: + os.chown(pathname, uid, gid) + + # get the file magic mime type + fileMime = magic.from_file(pathname, mime=True) + fileType = magic.from_file(pathname) + + if os.path.isdir(pcapDir) and ( + (fileMime in ('application/vnd.tcpdump.pcap', 'application/x-pcapng')) or ('pcap-ng' in fileType) + ): + # a pcap file to be processed by dropping it into pcapDir + logger.info(f"{scriptName}:\t🖅\t{pathname} [{fileMime}][{fileType}] to {pcapDir}") + shutil.move(pathname, os.path.join(pcapDir, os.path.basename(pathname))) + + elif os.path.isdir(zeekDir) and ( + fileMime + in [ + 'application/gzip', + 'application/x-gzip', + 'application/x-7z-compressed', + 'application/x-bzip2', + 'application/x-cpio', + 'application/x-lzip', + 'application/x-lzma', + 'application/x-rar-compressed', + 'application/x-tar', + 'application/x-xz', + 'application/zip', + ] + ): + # looks like this is a compressed file, we're assuming it's a zeek log archive to be processed by filebeat + logger.info(f"{scriptName}:\t🖅\t{pathname} [{fileMime}][{fileType}] to {zeekDir}") + shutil.move(pathname, os.path.join(zeekDir, os.path.basename(pathname))) + + else: + # unhandled file type uploaded, delete it + logger.warning(f"{scriptName}:\t🗑\t{pathname} ({fileMime}/{fileType})") + os.unlink(pathname) + + except Exception as genericError: + logger.error(f"{scriptName}:\texception: {genericError}") + + +################################################################################################### +# main +def main(): + global shuttingDown + + parser = argparse.ArgumentParser( + description=scriptName, + add_help=False, + usage='{} '.format(scriptName), + ) + parser.add_argument('--verbose', '-v', action='count', default=1, help='Increase verbosity (e.g., -v, -vv, etc.)') + parser.add_argument( + '-r', + '--recursive-directory', + dest='recursiveDir', + help="If specified, monitor all directories with this name underneath --directory", + metavar='', + type=str, + required=False, + ) + parser.add_argument( + '-p', + '--polling', + dest='polling', + help="Use polling (instead of inotify)", + metavar='true|false', + type=str2bool, + nargs='?', + const=True, + default=os.getenv('PCAP_PIPELINE_POLLING', False), + required=False, + ) + parser.add_argument( + '-c', + '--closed-sec', + dest='assumeClosedSec', + help="When polling, assume a file is closed after this many seconds of inactivity", + metavar='', + type=int, + default=int(os.getenv('PCAP_PIPELINE_POLLING_ASSUME_CLOSED_SEC', str(watch_common.ASSUME_CLOSED_SEC_DEFAULT))), + required=False, + ) + parser.add_argument( + '-i', + '--in', + dest='srcDir', + help='Source directory to monitor', + metavar='', + type=str, + default=os.path.join(remove_suffix(os.getenv('PCAP_PATH', '/pcap'), '/'), 'upload'), + required=False, + ) + parser.add_argument( + '-o', + '--out', + dest='dstDir', + help='Destination directory', + metavar='', + type=str, + default=os.path.join(remove_suffix(os.getenv('PCAP_PATH', '/pcap'), '/'), 'processed'), + required=False, + ) + parser.add_argument( + '-z', + '--zeek', + dest='zeekDir', + help='Zeek upload directory', + metavar='', + type=str, + default=os.path.join(remove_suffix(os.getenv('ZEEK_PATH', '/zeek'), '/'), 'upload'), + required=False, + ) + parser.add_argument( + '-u', + '--uid', + dest='chownUid', + help='UID to chown files', + metavar='', + type=int, + default=int(os.getenv('PUID', os.getenv('DEFAULT_UID', '1000'))), + required=False, + ) + parser.add_argument( + '-g', + '--gid', + dest='chownGid', + help='UID to chown files', + metavar='', + type=int, + default=int(os.getenv('PGID', os.getenv('DEFAULT_GID', '1000'))), + required=False, + ) + parser.add_argument( + '--start-sleep', + dest='startSleepSec', + help="Sleep for this many seconds before starting", + metavar='', + type=int, + default=0, + required=False, + ) + + try: + parser.error = parser.exit + args = parser.parse_args() + except SystemExit: + parser.print_help() + exit(2) + + args.verbose = logging.ERROR - (10 * args.verbose) if args.verbose > 0 else 0 + logging.basicConfig( + level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S' + ) + logging.info(os.path.join(scriptPath, scriptName)) + logging.info("Arguments: {}".format(sys.argv[1:])) + logging.info("Arguments: {}".format(args)) + if args.verbose > logging.DEBUG: + sys.tracebacklimit = 0 + + # handle sigint and sigterm for graceful shutdown + signal.signal(signal.SIGINT, shutdown_handler) + signal.signal(signal.SIGTERM, shutdown_handler) + + # sleep for a bit if requested + sleepCount = 0 + while (not shuttingDown[0]) and (sleepCount < args.startSleepSec): + time.sleep(1) + sleepCount += 1 + + args.dstDir = remove_suffix(args.dstDir, '/') + args.srcDir = remove_suffix(args.srcDir, '/') + args.zeekDir = remove_suffix(args.zeekDir, '/') + + # if directory to monitor doesn't exist, create it now + if not os.path.isdir(args.srcDir): + logging.info(f'{scriptName}:\tcreating "{args.srcDir}" to monitor') + pathlib.Path(args.srcDir).mkdir(parents=False, exist_ok=True) + + # if recursion was requested, get list of directories to monitor + watchDirs = [] + while len(watchDirs) == 0: + if args.recursiveDir is None: + watchDirs = [args.srcDir] + else: + watchDirs = glob.glob(f'{args.srcDir}/**/{args.recursiveDir}', recursive=True) + + watch_common.WatchAndProcessDirectory( + watchDirs, + args.polling, + file_processor, + { + "logger": logging, + "destination": args.dstDir, + "zeek": args.zeekDir, + "uid": args.chownUid, + "gid": args.chownGid, + }, + args.assumeClosedSec, + shuttingDown, + logging, + ) + + +if __name__ == '__main__': + main() diff --git a/pcap-monitor/scripts/watch-pcap-uploads-folder.sh b/pcap-monitor/scripts/watch-pcap-uploads-folder.sh deleted file mode 100755 index a72d088d8..000000000 --- a/pcap-monitor/scripts/watch-pcap-uploads-folder.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. - -PCAP_BASE_PATH=${PCAP_PATH:-"/pcap"} -ZEEK_BASE_PATH=${ZEEK_PATH:-"/zeek"} - -PROCESS_DIR="$PCAP_BASE_PATH/processed" -PCAP_UPLOAD_DIR="$PCAP_BASE_PATH/upload" -ZEEK_UPLOAD_DIR="$ZEEK_BASE_PATH/upload" -mkdir -p "$PCAP_UPLOAD_DIR" - -# as new pcaps are closed for writing in /pcap/upload, move them to /pcap/processed for processing -inotifywait -m -e close_write --format '%w%f' "${PCAP_UPLOAD_DIR}" | while read NEWFILE -do - FILEMAGIC=$(file -b "$NEWFILE") - FILEMIME=$(file -b --mime-type "$NEWFILE") - if [[ "$FILEMIME" == 'application/vnd.tcpdump.pcap' ]] || [[ "$FILEMIME" == 'application/x-pcapng' ]] || [[ "$FILEMAGIC" == *"pcap-ng"* ]]; then - # a pcap file to be processed by dropping it into $PROCESS_DIR - sleep 0.1 && chown ${PUID:-${DEFAULT_UID}}:${PGID:-${DEFAULT_GID}} "$NEWFILE" && (>&2 mv -v "$NEWFILE" "$PROCESS_DIR/") - - elif [[ -d "$ZEEK_UPLOAD_DIR" ]] && ( echo "$FILEMIME" | grep --quiet -P "(application/gzip|application/x-gzip|application/x-7z-compressed|application/x-bzip2|application/x-cpio|application/x-lzip|application/x-lzma|application/x-rar-compressed|application/x-tar|application/x-xz|application/zip)" ); then - # looks like this is a compressed file, we're assuming it's a zeek log archive to be processed by filebeat - sleep 0.1 && chown ${PUID:-${DEFAULT_UID}}:${PGID:-${DEFAULT_GID}} "$NEWFILE" && (>&2 mv -v "$NEWFILE" "$ZEEK_UPLOAD_DIR/") - - else - # unhandled file type uploaded, delete it - sleep 0.1 && (>&2 rm "$NEWFILE") - echo "Removed \"$NEWFILE\", unhandled file type \"$FILEMIME\"" - - fi -done diff --git a/pcap-monitor/supervisord.conf b/pcap-monitor/supervisord.conf index a48fa7963..08674792d 100644 --- a/pcap-monitor/supervisord.conf +++ b/pcap-monitor/supervisord.conf @@ -18,7 +18,15 @@ supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface serverurl=unix:///tmp/supervisor.sock [program:watch-upload] -command=/bin/bash -c "sleep 30 && /usr/local/bin/watch-pcap-uploads-folder.sh" +command=python3 /usr/local/bin/watch-pcap-uploads-folder.py %(ENV_PCAP_PIPELINE_VERBOSITY)s + --start-sleep 30 + --polling "%(ENV_PCAP_PIPELINE_POLLING)s" + --closed-sec %(ENV_PCAP_PIPELINE_POLLING_ASSUME_CLOSED_SEC)s + --in "%(ENV_PCAP_PATH)s"/upload + --out "%(ENV_PCAP_PATH)s"/processed + --zeek "%(ENV_ZEEK_PATH)s"/upload + --uid %(ENV_PUID)s + --gid %(ENV_PGID)s startsecs=35 startretries=1 stopasgroup=true @@ -28,15 +36,15 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:pcap-publisher] -command=python3 /usr/local/bin/pcap_watcher.py - --verbose "%(ENV_PCAP_PIPELINE_DEBUG)s" - --extra-verbose "%(ENV_PCAP_PIPELINE_DEBUG_EXTRA)s" +command=python3 /usr/local/bin/pcap_watcher.py %(ENV_PCAP_PIPELINE_VERBOSITY)s --opensearch "%(ENV_OPENSEARCH_URL)s" --opensearch-curlrc "%(ENV_OPENSEARCH_CREDS_CONFIG_FILE)s" --opensearch-ssl-verify %(ENV_OPENSEARCH_SSL_CERTIFICATE_VERIFICATION)s --opensearch-wait --node "%(ENV_PCAP_NODE_NAME)s" --ignore-existing "%(ENV_PCAP_PIPELINE_IGNORE_PREEXISTING)s" + --polling "%(ENV_PCAP_PIPELINE_POLLING)s" + --closed-sec %(ENV_PCAP_PIPELINE_POLLING_ASSUME_CLOSED_SEC)s --start-sleep 60 --directory "%(ENV_PCAP_PATH)s"/processed user=%(ENV_PUSER)s diff --git a/scripts/build.sh b/scripts/build.sh index 610ac5d2b..751bc78b1 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -72,7 +72,7 @@ MALCOLM_VERSION="$($GREP -P "^\s+image:\s*malcolm" "$CONFIG_FILE" | awk '{print VCS_REVISION="$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" GITHUB_API_TOKEN="${GITHUB_TOKEN:-}" -[[ ! -f ./auth.env ]] && touch ./auth.env +mkdir -p ./config # MaxMind now requires a (free) license key to download the free versions of their GeoIP databases. if [ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]; then @@ -95,7 +95,7 @@ FILES_IN_IMAGES=( "/usr/share/filebeat/filebeat.yml;filebeat-oss" "/var/www/upload/js/jquery.fileupload.js;file-upload" "/opt/freq_server/freq_server.py;freq" - "/var/www/htadmin/index.php;htadmin" + "/var/www/htadmin/htadmin.php;htadmin" "/etc/ip_protocol_name_to_number.yaml;logstash" "/etc/ja3.yaml;logstash" "/etc/vendor_macs.yaml;logstash" @@ -104,8 +104,7 @@ FILES_IN_IMAGES=( "/opt/arkime/etc/ipv4-address-space.csv;arkime" "/opt/arkime/etc/oui.txt;arkime" "/opt/arkime/bin/capture;arkime" - "/var/www/html/list.min.js;name-map-ui" - "/var/www/html/jquery.min.js;name-map-ui" + "/opt/netbox-devicetype-library/schema/components.json;netbox" "/opt/zeek/bin/zeek;zeek" "/opt/zeek/bin/spicyz;zeek" "/usr/share/nginx/html/index.html;nginx-proxy" diff --git a/scripts/configure b/scripts/configure new file mode 120000 index 000000000..7f4fe4b08 --- /dev/null +++ b/scripts/configure @@ -0,0 +1 @@ +install.py \ No newline at end of file diff --git a/scripts/control.py b/scripts/control.py index 84e0c83ff..d82df1738 100755 --- a/scripts/control.py +++ b/scripts/control.py @@ -15,17 +15,74 @@ import re import secrets import shutil +import signal import stat import string import sys import tarfile import time -from malcolm_common import * +from malcolm_common import ( + AskForPassword, + AskForString, + BoundPath, + ChooseOne, + DetermineYamlFileFormat, + DisplayMessage, + DisplayProgramBox, + DotEnvDynamic, + GetUidGidFromEnv, + KubernetesDynamic, + LocalPathForContainerBindMount, + MainDialog, + MalcolmAuthFilesExist, + MalcolmPath, + MalcolmTmpPath, + OrchestrationFramework, + OrchestrationFrameworksSupported, + PLATFORM_WINDOWS, + posInt, + ProcessLogLine, + ScriptPath, + YAMLDynamic, + YesOrNo, +) + +from malcolm_utils import ( + deep_get, + dictsearch, + eprint, + EscapeAnsi, + EscapeForCurl, + get_iterable, + get_primary_ip, + LoadStrIfJson, + ParseCurlFile, + pushd, + RemoveEmptyFolders, + run_process, + same_file_or_dir, + str2bool, + which, +) + +from malcolm_kubernetes import ( + CheckPersistentStorageDefs, + DeleteNamespace, + get_node_hostnames_and_ips, + GetPodNamesForService, + PodExec, + PrintNodeStatus, + PrintPodStatus, + REQUIRED_VOLUME_OBJECTS, + StartMalcolm, +) + from base64 import b64encode from collections import defaultdict, namedtuple -from subprocess import PIPE, DEVNULL, Popen, TimeoutExpired +from subprocess import PIPE, STDOUT, DEVNULL, Popen, TimeoutExpired from urllib.parse import urlparse +from itertools import chain, groupby try: from contextlib import nullcontext @@ -50,9 +107,14 @@ def __exit__(self, *args): args = None dockerBin = None dockerComposeBin = None +dockerComposeYaml = None +kubeImported = None opensslBin = None +orchMode = None +shuttingDown = [False] yamlImported = None -dockerComposeYaml = None +dotenvImported = None + ################################################################################################### try: @@ -60,12 +122,43 @@ def __exit__(self, *args): ColoramaInit() coloramaImported = True -except: +except Exception: coloramaImported = False ################################################################################################### -# perform a service-keystore operation in a Docker container +# handle sigint/sigterm and set a global shutdown variable +def shutdown_handler(signum, frame): + global shuttingDown + shuttingDown[0] = True + + +################################################################################################### +def checkEnvFilesExist(): + global args + + # first, if the configDir is completely empty, then populate from defaults + defaultConfigDir = os.path.join(MalcolmPath, 'config') + if ( + (args.configDir is not None) + and os.path.isdir(args.configDir) + and os.path.isdir(defaultConfigDir) + and (not same_file_or_dir(defaultConfigDir, args.configDir)) + and (not os.listdir(args.configDir)) + ): + for defaultEnvExampleFile in glob.glob(os.path.join(defaultConfigDir, '*.env.example')): + shutil.copy2(defaultEnvExampleFile, args.configDir) + + # if a specific config/*.env file doesn't exist, use the *.example.env files as defaults + envExampleFiles = glob.glob(os.path.join(args.configDir, '*.env.example')) + for envExampleFile in envExampleFiles: + envFile = envExampleFile[: -len('.example')] + if not os.path.isfile(envFile): + shutil.copyfile(envExampleFile, envFile) + + +################################################################################################### +# perform a service-keystore operation in a container # # service - the service in the docker-compose YML file # keystore_args - arguments to pass to the service-keystore binary in the container @@ -77,176 +170,207 @@ def keystore_op(service, dropPriv=False, *keystore_args, **run_process_kwargs): global args global dockerBin global dockerComposeBin + global orchMode err = -1 results = [] # the opensearch containers all follow the same naming pattern for these executables keystoreBinProc = f"/usr/share/{service}/bin/{service}-keystore" + uidGidDict = GetUidGidFromEnv(args.configDir) - # if we're using docker-uid-gid-setup.sh to drop privileges as we spin up a container - dockerUidGuidSetup = "/usr/local/bin/docker-uid-gid-setup.sh" + if orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # if we're using docker-uid-gid-setup.sh to drop privileges as we spin up a container + dockerUidGuidSetup = "/usr/local/bin/docker-uid-gid-setup.sh" - # docker-compose use local temporary path - osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath - - # open up the docker-compose file and "grep" for the line where the keystore file - # is bind-mounted into the service container (once and only once). the bind - # mount needs to exist in the YML file and the local directory containing the - # keystore file needs to exist (although the file itself might not yet). - # also get PUID and PGID variables from the docker-compose file. - localKeystore = None - localKeystoreDir = None - localKeystorePreExists = False - volumeKeystore = None - volumeKeystoreDir = None - uidGidDict = None + # docker-compose use local temporary path + osEnv = os.environ.copy() + osEnv['TMPDIR'] = MalcolmTmpPath - try: - uidGidDict = GetUidGidFromComposeFile(args.composeFile) + # open up the docker-compose file and "grep" for the line where the keystore file + # is bind-mounted into the service container (once and only once). the bind + # mount needs to exist in the YML file and the local directory containing the + # keystore file needs to exist (although the file itself might not yet). + # also get PUID and PGID variables from the docker-compose file. + localKeystore = None + localKeystoreDir = None + localKeystorePreExists = False + volumeKeystore = f"/usr/share/{service}/config/{service}.keystore" + volumeKeystoreDir = os.path.dirname(volumeKeystore) - composeFileLines = list() - with open(args.composeFile, 'r') as f: - allLines = f.readlines() - composeFileLines = [x for x in allLines if re.search(fr'-.*?{service}.keystore\s*:.*{service}.keystore', x)] + try: + composeFileLines = list() + with open(args.composeFile, 'r') as f: + allLines = f.readlines() + composeFileLines = [ + x for x in allLines if re.search(fr'-.*?{service}.keystore\s*:.*{service}.keystore', x) + ] - if (len(composeFileLines) == 1) and (len(composeFileLines[0]) > 0): - matches = re.search( - fr'-\s*(?P.*?{service}.keystore)\s*:\s*(?P.*?{service}.keystore)', - composeFileLines[0], - ) - if matches: - localKeystore = os.path.realpath(matches.group('localKeystore')) - localKeystoreDir = os.path.dirname(localKeystore) - volumeKeystore = matches.group('volumeKeystore') - volumeKeystoreDir = os.path.dirname(volumeKeystore) + if (len(composeFileLines) == 1) and (len(composeFileLines[0]) > 0): + matches = re.search( + fr'-\s*(?P.*?{service}.keystore)\s*:\s*.*?{service}.keystore', + composeFileLines[0], + ) + if matches: + localKeystore = os.path.realpath(matches.group('localKeystore')) + localKeystoreDir = os.path.dirname(localKeystore) - if (localKeystore is not None) and (volumeKeystore is not None) and os.path.isdir(localKeystoreDir): - localKeystorePreExists = os.path.isfile(localKeystore) + if (localKeystore is not None) and os.path.isdir(localKeystoreDir): + localKeystorePreExists = os.path.isfile(localKeystore) - dockerCmd = None + dockerCmd = None - # determine if Malcolm is running; if so, we'll use docker-compose exec, other wise we'll use docker run - err, out = run_process( - [dockerComposeBin, '-f', args.composeFile, 'ps', '-q', service], env=osEnv, debug=args.debug - ) - out[:] = [x for x in out if x] - if (err == 0) and (len(out) > 0): - # Malcolm is running, we can use an existing container - - # assemble the service-keystore command - dockerCmd = [ - dockerComposeBin, - '-f', - args.composeFile, - 'exec', - # if using stdin, indicate the container is "interactive", else noop (duplicate --rm) - '-T' if ('stdin' in run_process_kwargs and run_process_kwargs['stdin']) else '', - # execute as UID:GID in docker-compose.yml file - '-u', - f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}', - # the work directory in the container is the directory to contain the keystore file - '-w', - volumeKeystoreDir, - # the service name - service, - # the executable filespec - keystoreBinProc, - ] + # determine if Malcolm is running; if so, we'll use docker-compose exec, other wise we'll use docker run + err, out = run_process( + [dockerComposeBin, '-f', args.composeFile, 'ps', '-q', service], env=osEnv, debug=args.debug + ) + out[:] = [x for x in out if x] + if (err == 0) and (len(out) > 0): + # Malcolm is running, we can use an existing container - else: - # Malcolm isn't running, do 'docker run' to spin up a temporary container to run the ocmmand - - # "grep" the docker image out of the service's image: value from the docker-compose YML file - serviceImage = None - composeFileLines = list() - with open(args.composeFile, 'r') as f: - composeFileLines = [x for x in f.readlines() if f'image: ghcr.io/idaholab/malcolm/{service}' in x] - if (len(composeFileLines) > 0) and (len(composeFileLines[0]) > 0): - imageLineValues = composeFileLines[0].split() - if len(imageLineValues) > 1: - serviceImage = imageLineValues[1] - - if serviceImage is not None: # assemble the service-keystore command dockerCmd = [ - dockerBin, - 'run', - # remove the container when complete - '--rm', - # if using stdin, indicate the container is "interactive", else noop - '-i' if ('stdin' in run_process_kwargs and run_process_kwargs['stdin']) else '', - # if dropPriv, dockerUidGuidSetup will take care of dropping privileges for the correct UID/GID - # if NOT dropPriv, enter with the keystore executable directly - '--entrypoint', - dockerUidGuidSetup if dropPriv else keystoreBinProc, - '--env', - f'PUID={uidGidDict["PUID"]}', - '--env', - f'DEFAULT_UID={uidGidDict["PUID"]}', - '--env', - f'PGID={uidGidDict["PGID"]}', - '--env', - f'DEFAULT_GID={uidGidDict["PGID"]}', - '--env', - f'PUSER_CHOWN={volumeKeystoreDir}', - # rw bind mount the local directory to contain the keystore file to the container directory - '-v', - f'{localKeystoreDir}:{volumeKeystoreDir}:rw', + dockerComposeBin, + '-f', + args.composeFile, + 'exec', + # if using stdin, indicate the container is "interactive", else noop (duplicate --rm) + '-T' if ('stdin' in run_process_kwargs and run_process_kwargs['stdin']) else '', + # execute as UID:GID in docker-compose.yml file + '-u', + f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}', # the work directory in the container is the directory to contain the keystore file '-w', volumeKeystoreDir, - # if dropPriv, execute as root, as docker-uid-gid-setup.sh will drop privileges for us - # if NOT dropPriv, execute as UID:GID in docker-compose.yml file - '-u', - 'root' if dropPriv else f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}', - # the service image name grepped from the YML file - serviceImage, + # the service name + service, + # the executable filespec + keystoreBinProc, ] - if dropPriv: - # the keystore executable filespec (as we used dockerUidGuidSetup as the entrypoint) - dockerCmd.append(keystoreBinProc) - else: - raise Exception(f'Unable to identify docker image for {service} in {args.composeFile}') + # Malcolm isn't running, do 'docker run' to spin up a temporary container to run the ocmmand + + # "grep" the docker image out of the service's image: value from the docker-compose YML file + serviceImage = None + composeFileLines = list() + with open(args.composeFile, 'r') as f: + composeFileLines = [ + x for x in f.readlines() if f'image: ghcr.io/idaholab/malcolm/{service}' in x + ] + if (len(composeFileLines) > 0) and (len(composeFileLines[0]) > 0): + imageLineValues = composeFileLines[0].split() + if len(imageLineValues) > 1: + serviceImage = imageLineValues[1] + + if serviceImage is not None: + # assemble the service-keystore command + dockerCmd = [ + dockerBin, + 'run', + # remove the container when complete + '--rm', + # if using stdin, indicate the container is "interactive", else noop + '-i' if ('stdin' in run_process_kwargs and run_process_kwargs['stdin']) else '', + # if dropPriv, dockerUidGuidSetup will take care of dropping privileges for the correct UID/GID + # if NOT dropPriv, enter with the keystore executable directly + '--entrypoint', + dockerUidGuidSetup if dropPriv else keystoreBinProc, + '--env', + f'PUID={uidGidDict["PUID"]}', + '--env', + f'DEFAULT_UID={uidGidDict["PUID"]}', + '--env', + f'PGID={uidGidDict["PGID"]}', + '--env', + f'DEFAULT_GID={uidGidDict["PGID"]}', + '--env', + f'PUSER_CHOWN={volumeKeystoreDir}', + # rw bind mount the local directory to contain the keystore file to the container directory + '-v', + f'{localKeystoreDir}:{volumeKeystoreDir}:rw', + # the work directory in the container is the directory to contain the keystore file + '-w', + volumeKeystoreDir, + # if dropPriv, execute as root, as docker-uid-gid-setup.sh will drop privileges for us + # if NOT dropPriv, execute as UID:GID in docker-compose.yml file + '-u', + 'root' if dropPriv else f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}', + # the service image name grepped from the YML file + serviceImage, + ] + + if dropPriv: + # the keystore executable filespec (as we used dockerUidGuidSetup as the entrypoint) + dockerCmd.append(keystoreBinProc) - if dockerCmd is not None: - # append whatever other arguments to pass to the executable filespec - if keystore_args: - dockerCmd.extend(list(keystore_args)) + else: + raise Exception(f'Unable to identify docker image for {service} in {args.composeFile}') - dockerCmd[:] = [x for x in dockerCmd if x] + if dockerCmd is not None: + # append whatever other arguments to pass to the executable filespec + if keystore_args: + dockerCmd.extend(list(keystore_args)) + + dockerCmd[:] = [x for x in dockerCmd if x] + + # execute the command, passing through run_process_kwargs to run_process as expanded keyword arguments + err, results = run_process(dockerCmd, env=osEnv, debug=args.debug, **run_process_kwargs) + if (err != 0) or (not os.path.isfile(localKeystore)): + raise Exception(f'Error processing command {service} keystore: {results}') + + else: + raise Exception(f'Unable formulate keystore command for {service} in {args.composeFile}') - # execute the command, passing through run_process_kwargs to run_process as expanded keyword arguments - err, results = run_process(dockerCmd, env=osEnv, debug=args.debug, **run_process_kwargs) - if (err != 0) or (not os.path.isfile(localKeystore)): - raise Exception(f'Error processing command {service} keystore: {results}') + else: + raise Exception( + f'Unable to identify a unique keystore file bind mount for {service} in {args.composeFile}' + ) + except Exception as e: + if err == 0: + err = -1 + + # don't be so whiny if the "create" failed just because it already existed or a 'remove' failed on a nonexistant item + if ( + (not args.debug) + and list(keystore_args) + and (len(list(keystore_args)) > 0) + and (list(keystore_args)[0].lower() in ('create', 'remove')) + and localKeystorePreExists + ): + pass else: - raise Exception(f'Unable formulate keystore command for {service} in {args.composeFile}') + eprint(e) + + elif orchMode is OrchestrationFramework.KUBERNETES: + cmd = [keystoreBinProc] + if keystore_args: + cmd.extend(list(keystore_args)) + cmd = [x for x in cmd if x] + + podsResults = PodExec( + service, + args.namespace, + [x for x in cmd if x], + stdin=run_process_kwargs['stdin'] + if ('stdin' in run_process_kwargs and run_process_kwargs['stdin']) + else None, + ) - else: - raise Exception(f'Unable to identify a unique keystore file bind mount for {service} in {args.composeFile}') + err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1 + results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()])) - except Exception as e: - if err == 0: - err = -1 - - # don't be so whiny if the "create" failed just because it already existed or a 'remove' failed on a nonexistant item - if ( - (not args.debug) - and list(keystore_args) - and (len(list(keystore_args)) > 0) - and (list(keystore_args)[0].lower() in ('create', 'remove')) - and localKeystorePreExists - ): - pass - else: - eprint(e) + if args.debug: + dbgStr = f"{len(podsResults)} pods: {cmd}({run_process_kwargs['stdin'][:80] + bool(run_process_kwargs['stdin'][80:]) * '...' if 'stdin' in run_process_kwargs and run_process_kwargs['stdin'] else ''}) returned {err}: {results}" + eprint(dbgStr) + for podname, podResults in podsResults.items(): + dbgStr = f"{podname}: {cmd}({run_process_kwargs['stdin'][:80] + bool(run_process_kwargs['stdin'][80:]) * '...' if 'stdin' in run_process_kwargs and run_process_kwargs['stdin'] else ''}) returned {deep_get(podResults, ['err'], 1)}: {deep_get(podResults, ['output'], 'unknown')}" + eprint(dbgStr) + + else: + raise Exception(f'{sys._getframe().f_code.co_name} does not yet support {orchMode}') - # success = (error == 0) return (err == 0), results @@ -254,84 +378,86 @@ def keystore_op(service, dropPriv=False, *keystore_args, **run_process_kwargs): def status(): global args global dockerComposeBin + global orchMode - # docker-compose use local temporary path - osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath - - err, out = run_process( - [dockerComposeBin, '-f', args.composeFile, 'ps', args.service][: 5 if args.service is not None else -1], - env=osEnv, - debug=args.debug, - ) - if err == 0: - print("\n".join(out)) - else: - eprint("Failed to display Malcolm status\n") - eprint("\n".join(out)) - exit(err) + if orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # docker-compose use local temporary path + osEnv = os.environ.copy() + osEnv['TMPDIR'] = MalcolmTmpPath + err, out = run_process( + [dockerComposeBin, '-f', args.composeFile, 'ps', args.service][: 5 if args.service is not None else -1], + env=osEnv, + debug=args.debug, + ) + if err == 0: + print("\n".join(out)) + else: + eprint("Failed to display Malcolm status\n") + eprint("\n".join(out)) + exit(err) -################################################################################################### -def netboxBackup(backupFileName=None): - global args - global dockerComposeBin + elif orchMode is OrchestrationFramework.KUBERNETES: + try: + PrintNodeStatus() + print() + PrintPodStatus(namespace=args.namespace) + print() + except Exception as e: + eprint(f'Error getting {args.namespace} status: {e}') + exit(-1) - # docker-compose use local temporary path - osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath + else: + raise Exception(f'{sys._getframe().f_code.co_name} does not yet support {orchMode}') - uidGidDict = GetUidGidFromComposeFile(args.composeFile) - dockerCmd = [ - dockerComposeBin, - '-f', - args.composeFile, - 'exec', - # disable pseudo-TTY allocation - '-T', - # execute as UID:GID in docker-compose.yml file - '-u', - f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}', - 'netbox-postgres', - 'pg_dump', - '-U', - 'netbox', - '-d', - 'netbox', - ] - - err, results = run_process(dockerCmd, env=osEnv, debug=args.debug, stdout=True, stderr=False) - if (err != 0) or (len(results) == 0): - raise Exception(f'Error creating NetBox configuration database backup') - - if (backupFileName is None) or (len(backupFileName) == 0): - backupFileName = f"malcolm_netbox_backup_{time.strftime('%Y%m%d-%H%M%S')}.gz" - - with gzip.GzipFile(backupFileName, "wb") as f: - f.write(bytes('\n'.join(results), 'utf-8')) - - backupFileParts = os.path.splitext(backupFileName) - backupMediaFileName = backupFileParts[0] + ".media.tar.gz" - with tarfile.open(backupMediaFileName, 'w:gz') as t: - t.add(os.path.join(os.path.join(MalcolmPath, 'netbox'), 'media'), arcname='.') +################################################################################################### +def printURLs(): + global orchMode + + if orchMode is OrchestrationFramework.KUBERNETES: + addrs = get_node_hostnames_and_ips(mastersOnly=True) + if not any((addrs['external'], addrs['hostname'])): + addrs = get_node_hostnames_and_ips(mastersOnly=False) + if addrs['external']: + myIp = addrs['external'][0] + elif addrs['hostname']: + myIp = addrs['hostname'][0] + elif addrs['internal']: + myIp = addrs['internal'][0] + else: + myIp = '' + else: + myIp = get_primary_ip() - return backupFileName, backupMediaFileName + print("\nMalcolm services can be accessed via the following URLs:") + print("------------------------------------------------------------------------------") + print(f" - Arkime: https://{myIp}/") + print(f" - OpenSearch Dashboards: https://{myIp}/dashboards/") + print(f" - PCAP upload (web): https://{myIp}/upload/") + if orchMode is not OrchestrationFramework.KUBERNETES: + print(f" - PCAP upload (sftp): sftp://username@{myIp}:8022/files/") + print(f" - NetBox: https://{myIp}/netbox/") + print(f" - Account management: https://{myIp}/auth/") + print(f" - Documentation: https://{myIp}/readme/") ################################################################################################### -def netboxRestore(backupFileName=None): +def netboxBackup(backupFileName=None): global args global dockerComposeBin + global orchMode - if backupFileName and os.path.isfile(backupFileName): + backupFileName, backupMediaFileName = None, None + + uidGidDict = GetUidGidFromEnv(args.configDir) + + if orchMode is OrchestrationFramework.DOCKER_COMPOSE: # docker-compose use local temporary path osEnv = os.environ.copy() osEnv['TMPDIR'] = MalcolmTmpPath - uidGidDict = GetUidGidFromComposeFile(args.composeFile) - - dockerCmdBase = [ + dockerCmd = [ dockerComposeBin, '-f', args.composeFile, @@ -341,314 +467,320 @@ def netboxRestore(backupFileName=None): # execute as UID:GID in docker-compose.yml file '-u', f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}', + 'netbox-postgres', + 'pg_dump', + '-U', + 'netbox', + '-d', + 'netbox', ] - # if the netbox_init.py process is happening, interrupt it - dockerCmd = dockerCmdBase + ['netbox', 'bash', '-c', 'pgrep -f /usr/local/bin/netbox_init.py | xargs -r kill'] - err, results = run_process(dockerCmd, env=osEnv, debug=args.debug) - if (err != 0) and args.debug: - eprint(f'Error interrupting netbox_init.py: {results}') - - # drop the existing netbox database - dockerCmd = dockerCmdBase + ['netbox-postgres', 'dropdb', '-U', 'netbox', 'netbox', '--force'] - err, results = run_process(dockerCmd, env=osEnv, debug=args.debug) - if ((err != 0) or (len(results) == 0)) and args.debug: - eprint(f'Error dropping NetBox database: {results}') - - # create a new netbox database - dockerCmd = dockerCmdBase + ['netbox-postgres', 'createdb', '-U', 'netbox', 'netbox'] - err, results = run_process(dockerCmd, env=osEnv, debug=args.debug) - if err != 0: - raise Exception(f'Error creating new NetBox database') - - # load the backed-up psql dump - dockerCmd = dockerCmdBase + ['netbox-postgres', 'psql', '-U', 'netbox'] - with gzip.open(backupFileName, 'rt') as f: - err, results = run_process(dockerCmd, env=osEnv, debug=args.debug, stdin=f.read()) + err, results = run_process(dockerCmd, env=osEnv, debug=args.debug, stdout=True, stderr=False) if (err != 0) or (len(results) == 0): - raise Exception(f'Error loading NetBox database') + raise Exception('Error creating NetBox configuration database backup') - # migrations if needed - dockerCmd = dockerCmdBase + ['netbox', '/opt/netbox/netbox/manage.py', 'migrate'] - err, results = run_process(dockerCmd, env=osEnv, debug=args.debug) - if (err != 0) or (len(results) == 0): - raise Exception(f'Error performing NetBox migration') + if (backupFileName is None) or (len(backupFileName) == 0): + backupFileName = f"malcolm_netbox_backup_{time.strftime('%Y%m%d-%H%M%S')}.gz" + + with gzip.GzipFile(backupFileName, "wb") as f: + f.write(bytes('\n'.join(results), 'utf-8')) - # restore media directory backupFileParts = os.path.splitext(backupFileName) backupMediaFileName = backupFileParts[0] + ".media.tar.gz" - mediaPath = os.path.join(os.path.join(MalcolmPath, 'netbox'), 'media') - if os.path.isfile(backupMediaFileName) and os.path.isdir(mediaPath): - RemoveEmptyFolders(mediaPath, removeRoot=False) - with tarfile.open(backupMediaFileName) as t: - t.extractall(mediaPath) + with tarfile.open(backupMediaFileName, 'w:gz') as t: + t.add(os.path.join(os.path.join(MalcolmPath, 'netbox'), 'media'), arcname='.') + + elif orchMode is OrchestrationFramework.KUBERNETES: + if podsResults := PodExec( + service='netbox-postgres', + namespace=args.namespace, + command=[ + 'pg_dump', + '-U', + 'netbox', + '-d', + 'netbox', + ], + maxPodsToExec=1, + ): + podName = next(iter(podsResults)) + err = podsResults[podName]['err'] + results = podsResults[podName]['output'] + else: + err = 1 + results = [] + + if (err != 0) or (len(results) == 0): + raise Exception('Error creating NetBox configuration database backup') + + if (backupFileName is None) or (len(backupFileName) == 0): + backupFileName = f"malcolm_netbox_backup_{time.strftime('%Y%m%d-%H%M%S')}.gz" + + with gzip.GzipFile(backupFileName, "wb") as f: + f.write(bytes('\n'.join(results), 'utf-8')) + + # TODO: can't backup netbox/media directory via kubernetes at the moment + backupMediaFileName = None + + else: + raise Exception(f'{sys._getframe().f_code.co_name} does not yet support {orchMode}') + + return backupFileName, backupMediaFileName ################################################################################################### -def logs(): +def netboxRestore(backupFileName=None): global args - global dockerBin global dockerComposeBin + global orchMode - urlUserPassRegEx = re.compile(r'(\w+://[^/]+?:)[^/]+?(@[^/]+)') - - # noisy logs (a lot of it is NGINX logs from health checks) - ignoreRegEx = re.compile( - r""" - .+( - deprecated - | "GET\s+/\s+HTTP/1\.\d+"\s+200\s+- - | \bGET.+\b302\s+30\b - | (async|output)\.go.+(reset\s+by\s+peer|Connecting\s+to\s+backoff|backoff.+established$) - | /(opensearch-dashboards|dashboards|kibana)/(api/ui_metric/report|internal/search/(es|opensearch)) - | (Error\s+during\s+file\s+comparison|File\s+was\s+renamed):\s+/zeek/live/logs/ - | /_ns_/nstest\.html - | /usr/share/logstash/x-pack/lib/filters/geoip/database_manager - | \b(d|es)?stats\.json - | \b1.+GET\s+/\s+.+401.+curl - | _cat/indices - | branding.*config\s+is\s+not\s+found\s+or\s+invalid - | but\s+there\s+are\s+no\s+living\s+connections - | Connecting\s+to\s+backoff - | curl.+localhost.+GET\s+/api/status\s+200 - | DEPRECATION - | descheduling\s+job\s*id - | eshealth - | esindices/list - | executing\s+attempt_(transition|set_replica_count)\s+for - | GET\s+/(netbox/api|_cat/health|api/status|sessions2-|arkime_\w+).+HTTP/[\d\.].+\b200\b - | loaded\s+config\s+'/etc/netbox/config/ - | "netbox"\s+application\s+started - | \[notice\].+app\s+process\s+\d+\s+exited\s+with\s+code\s+0\b - | POST\s+/(arkime_\w+)(/\w+)?/_(d?stat|doc|search).+HTTP/[\d\.].+\b20[01]\b - | POST\s+/_bulk\s+HTTP/[\d\.].+\b20[01]\b - | POST\s+/server/php/\s+HTTP/\d+\.\d+"\s+\d+\s+\d+.*:8443/ - | POST\s+HTTP/[\d\.].+\b200\b - | reaped\s+unknown\s+pid - | redis.*(changes.+seconds.+Saving|Background\s+saving\s+(started|terminated)|DB\s+saved\s+on\s+disk|Fork\s+CoW) - | remov(ed|ing)\s+(old\s+file|dead\s+symlink|empty\s+directory) - | retry\.go.+(send\s+unwait|done$) - | running\s+full\s+sweep - | saved_objects - | scheduling\s+job\s*id.+opendistro-ism - | SSL/TLS\s+verifications\s+disabled - | Successfully\s+handled\s+GET\s+request\s+for\s+'/' - | Test\s+run\s+complete.*:failed=>0,\s*:errored=>0\b - | throttling\s+index - | update_mapping - | updating\s+number_of_replicas - | use_field_mapping - | Using\s+geoip\s+database - ) - """, - re.VERBOSE | re.IGNORECASE, - ) + if backupFileName and os.path.isfile(backupFileName): + uidGidDict = GetUidGidFromEnv(args.configDir) + + if orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # docker-compose use local temporary path + osEnv = os.environ.copy() + osEnv['TMPDIR'] = MalcolmTmpPath + + dockerCmdBase = [ + dockerComposeBin, + '-f', + args.composeFile, + 'exec', + # disable pseudo-TTY allocation + '-T', + # execute as UID:GID in docker-compose.yml file + '-u', + f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}', + ] + + # if the netbox_init.py process is happening, interrupt it + dockerCmd = dockerCmdBase + [ + 'netbox', + 'bash', + '-c', + 'pgrep -f /usr/local/bin/netbox_init.py | xargs -r kill', + ] + err, results = run_process(dockerCmd, env=osEnv, debug=args.debug) + if (err != 0) and args.debug: + eprint(f'Error interrupting netbox_init.py: {results}') + + # drop the existing netbox database + dockerCmd = dockerCmdBase + ['netbox-postgres', 'dropdb', '-U', 'netbox', 'netbox', '--force'] + err, results = run_process(dockerCmd, env=osEnv, debug=args.debug) + if ((err != 0) or (len(results) == 0)) and args.debug: + eprint(f'Error dropping NetBox database: {results}') + + # create a new netbox database + dockerCmd = dockerCmdBase + ['netbox-postgres', 'createdb', '-U', 'netbox', 'netbox'] + err, results = run_process(dockerCmd, env=osEnv, debug=args.debug) + if err != 0: + raise Exception('Error creating new NetBox database') + + # load the backed-up psql dump + dockerCmd = dockerCmdBase + ['netbox-postgres', 'psql', '-U', 'netbox'] + with gzip.open(backupFileName, 'rt') as f: + err, results = run_process(dockerCmd, env=osEnv, debug=args.debug, stdin=f.read()) + if (err != 0) or (len(results) == 0): + raise Exception('Error loading NetBox database') + + # migrations if needed + dockerCmd = dockerCmdBase + ['netbox', '/opt/netbox/netbox/manage.py', 'migrate'] + err, results = run_process(dockerCmd, env=osEnv, debug=args.debug) + if (err != 0) or (len(results) == 0): + raise Exception('Error performing NetBox migration') + + # restore media directory + backupFileParts = os.path.splitext(backupFileName) + backupMediaFileName = backupFileParts[0] + ".media.tar.gz" + mediaPath = os.path.join(os.path.join(MalcolmPath, 'netbox'), 'media') + if os.path.isfile(backupMediaFileName) and os.path.isdir(mediaPath): + RemoveEmptyFolders(mediaPath, removeRoot=False) + with tarfile.open(backupMediaFileName) as t: + t.extractall(mediaPath) + + elif orchMode is OrchestrationFramework.KUBERNETES: + # if the netbox_init.py process is happening, interrupt it + if podsResults := PodExec( + service='netbox', + namespace=args.namespace, + command=['bash', '-c', 'pgrep -f /usr/local/bin/netbox_init.py | xargs -r kill'], + ): + err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1 + results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()])) + else: + err = 1 + results = [] + if (err != 0) and args.debug: + eprint(f'Error ({err}) interrupting netbox_init.py: {results}') + + # drop the existing netbox database + if podsResults := PodExec( + service='netbox-postgres', + namespace=args.namespace, + command=['dropdb', '-U', 'netbox', 'netbox', '--force'], + ): + err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1 + results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()])) + else: + err = 1 + results = [] + if ((err != 0) or (len(results) == 0)) and args.debug: + eprint(f'Error dropping NetBox database: {results}') + + # create a new netbox database + if podsResults := PodExec( + service='netbox-postgres', + namespace=args.namespace, + command=['createdb', '-U', 'netbox', 'netbox'], + ): + err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1 + results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()])) + else: + err = 1 + results = [] + if err != 0: + raise Exception('Error creating new NetBox database') + + # load the backed-up psql dump + with gzip.open(backupFileName, 'rt') as f: + if podsResults := PodExec( + service='netbox-postgres', + namespace=args.namespace, + command=['psql', '-U', 'netbox'], + stdin=f.read(), + ): + err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1 + results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()])) + else: + err = 1 + results = [] + if (err != 0) or (len(results) == 0): + raise Exception('Error loading NetBox database') + + # migrations if needed + if podsResults := PodExec( + service='netbox', + namespace=args.namespace, + command=['/opt/netbox/netbox/manage.py', 'migrate'], + ): + eprint(podsResults) + err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1 + results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()])) + else: + err = 1 + results = [] + if (err != 0) or (len(results) == 0): + raise Exception('Error performing NetBox migration') - # logs we don't want to eliminate, but we don't want to repeat ad-nauseum - # TODO: not implemented yet - dupeRegEx = re.compile( - r""" - .+( - Maybe the destination pipeline is down or stopping - ) - """, - re.VERBOSE | re.IGNORECASE, - ) + # TODO: can't restore netbox/media directory via kubernetes at the moment - serviceRegEx = re.compile(r'^(?P.+?\|)\s*(?P.*)$') - iso8601TimeRegEx = re.compile( - r'^(-?(?:[1-9][0-9]*)?[0-9]{4})-(1[0-2]|0[1-9])-(3[01]|0[1-9]|[12][0-9])T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-](?:2[0-3]|[01][0-9]):[0-5][0-9])?$' - ) + else: + raise Exception(f'{sys._getframe().f_code.co_name} does not yet support {orchMode}') + + +################################################################################################### +def logs(): + global args + global dockerBin + global dockerComposeBin + global orchMode + global shuttingDown finishedStartingRegEx = re.compile(r'.+Pipelines\s+running\s+\{.*:non_running_pipelines=>\[\]\}') - finishedStarting = False - # increase COMPOSE_HTTP_TIMEOUT to be ridiculously large so docker-compose never times out the TTY doing debug output osEnv = os.environ.copy() - osEnv['COMPOSE_HTTP_TIMEOUT'] = '100000000' - # docker-compose use local temporary path + # use local temporary path osEnv['TMPDIR'] = MalcolmTmpPath - err, out = run_process( - [dockerComposeBin, '-f', args.composeFile, 'ps', args.service][: 5 if args.service is not None else -1], - env=osEnv, - debug=args.debug, - ) - print("\n".join(out)) + if orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # increase COMPOSE_HTTP_TIMEOUT to be ridiculously large so docker-compose never times out the TTY doing debug output + osEnv['COMPOSE_HTTP_TIMEOUT'] = '100000000' - if args.logLineCount is None: - args.logLineCount = 'all' + err, out = run_process( + [dockerComposeBin, '-f', args.composeFile, 'ps', args.service][: 5 if args.service is not None else -1], + env=osEnv, + debug=args.debug, + ) + print("\n".join(out)) - process = Popen( - [ + cmd = [ dockerComposeBin, '-f', args.composeFile, 'logs', '--tail', - str(args.logLineCount), + str(args.logLineCount) if args.logLineCount else 'all', '-f', args.service, - ][: 8 if args.service is not None else -1], - env=osEnv, - stdout=PIPE, - stderr=None if args.debug else DEVNULL, - ) - while True: - output = process.stdout.readline() - if (len(output) == 0) and (process.poll() is not None): - break - if output: - outputStr = urlUserPassRegEx.sub(r"\1xxxxxxxx\2", output.decode().strip()) - outputStrEscaped = EscapeAnsi(outputStr) - if ignoreRegEx.match(outputStrEscaped): - pass ### print(f'!!!!!!!: {outputStr}') - elif ( - (args.cmdStart or args.cmdRestart) - and (not args.cmdLogs) - and finishedStartingRegEx.match(outputStrEscaped) - ): - finishedStarting = True + ][: 8 if args.service else -1] + + elif orchMode is OrchestrationFramework.KUBERNETES: + if which("stern"): + cmd = [ + "stern", + "--kubeconfig", + args.composeFile, + "--only-log-lines", + "--color", + 'auto' if coloramaImported else 'never', + "--template", + '{{.Namespace}}/{{color .PodColor .PodName}}/{{color .ContainerColor .ContainerName}} | {{.Message}}{{"\\n"}}' + if args.debug + else '{{color .ContainerColor .ContainerName}} | {{.Message}}{{"\\n"}}', + '--tail', + str(args.logLineCount) if args.logLineCount else '-1', + ] + + if args.namespace: + cmd.extend(['--namespace', args.namespace]) else: - serviceMatch = serviceRegEx.search(outputStrEscaped) - serviceMatchFmt = serviceRegEx.search(outputStr) if coloramaImported else serviceMatch - serviceStr = serviceMatchFmt.group('service') if (serviceMatchFmt is not None) else '' - - messageStr = serviceMatch.group('message') if (serviceMatch is not None) else '' - messageStrSplit = messageStr.split(' ') - messageTimeMatch = iso8601TimeRegEx.match(messageStrSplit[0]) - if (messageTimeMatch is None) or (len(messageStrSplit) <= 1): - messageStrToTestJson = messageStr - else: - messageStrToTestJson = messageStrSplit[1:].join(' ') - - outputJson = LoadStrIfJson(messageStrToTestJson) - if isinstance(outputJson, dict): - # if there's a timestamp, move it outside of the JSON to the beginning of the log string - timeKey = None - if 'time' in outputJson: - timeKey = 'time' - elif 'timestamp' in outputJson: - timeKey = 'timestamp' - elif '@timestamp' in outputJson: - timeKey = '@timestamp' - timeStr = '' - if timeKey is not None: - timeStr = f"{outputJson[timeKey]} " - outputJson.pop(timeKey, None) - elif messageTimeMatch is not None: - timeStr = f"{messageTimeMatch[0]} " - - if ( - ('job.schedule' in outputJson) - and ('job.position' in outputJson) - and ('job.command' in outputJson) - ): - # this is a status output line from supercronic, let's format and clean it up so it fits in better with the rest of the logs - - # remove some clutter for the display - for noisyKey in ['level', 'channel', 'iteration', 'job.position', 'job.schedule']: - outputJson.pop(noisyKey, None) - - # if it's just command and message, format those NOT as JSON - jobCmd = outputJson['job.command'] - jobStatus = outputJson['msg'] - if (len(outputJson.keys()) == 2) and ('job.command' in outputJson) and ('msg' in outputJson): - # if it's the most common status (starting or job succeeded) then don't print unless debug mode - if args.debug or ((jobStatus != 'starting') and (jobStatus != 'job succeeded')): - print( - f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr} {jobCmd}: {jobStatus}" - ) - else: - pass - - else: - # standardize and print the JSON output - print( - f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{json.dumps(outputJson)}" - ) - - elif 'dashboards' in serviceStr: - # this is an output line from dashboards, let's clean it up a bit: remove some clutter for the display - for noisyKey in ['type', 'tags', 'pid', 'method', 'prevState', 'prevMsg']: - outputJson.pop(noisyKey, None) + cmd.append('--all-namespaces') + cmd.append(args.service if args.service else '.*') - # standardize and print the JSON output - print( - f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{json.dumps(outputJson)}" - ) + else: + raise Exception( + f'{sys._getframe().f_code.co_name} with orchestration mode {orchMode} requires "stern" (https://github.com/stern/stern/releases/latest)' + ) - elif 'filebeat' in serviceStr: - # this is an output line from filebeat, let's clean it up a bit: remove some clutter for the display - for noisyKey in [ - 'ecs.version', - 'harvester_id', - 'input_id', - 'log.level', - 'log.logger', - 'log.origin', - 'os_id', - 'service.name', - 'state_id', - ]: - outputJson.pop(noisyKey, None) - - # we'll fancify a couple of common things from filebeat - if ( - (len(outputJson.keys()) == 3) - and ('message' in outputJson) - and ('source_file' in outputJson) - and ('finished' in outputJson) - ): - print( - f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{outputJson['message'].rstrip('.')}: {outputJson['source_file']}" - ) + else: + cmd = [] + raise Exception(f'{sys._getframe().f_code.co_name} does not yet support {orchMode}') + + if cmd: + process = Popen( + cmd, + env=osEnv, + stdout=PIPE, + stderr=None if args.debug else DEVNULL, + ) + while not shuttingDown[0]: + output = process.stdout.readline() + if not output: + if process.poll() is not None: + break + else: + time.sleep(0.5) - elif len(outputJson.keys()) == 1: - outputKey = next(iter(outputJson)) - print( - f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{outputKey + ': ' if outputKey != 'message' else ''}{outputJson[outputKey]}" - ) - else: - # standardize and print the JSON output - print( - f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{json.dumps(outputJson)}" - ) + elif output := ProcessLogLine(output, debug=args.debug): + print(output) - else: - # standardize and print the JSON output - print( - f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{json.dumps(outputJson)}" - ) + if ( + output + and (args.cmdStart or args.cmdRestart) + and (not args.cmdLogs) + and finishedStartingRegEx.match(output) + ): + process.terminate() + try: + process.wait(timeout=5.0) + except TimeoutExpired: + process.kill() - else: - # just a regular non-JSON string, print as-is - print(outputStr if coloramaImported else outputStrEscaped) + print("\nStarted Malcolm\n") + printURLs() - else: - time.sleep(0.5) - - if finishedStarting: - process.terminate() - try: - process.wait(timeout=5.0) - except TimeoutExpired: - process.kill() - # # TODO: Replace 'localhost' with an outwards-facing IP since I doubt anybody is - # accessing these from the Malcolm server. - print("\nStarted Malcolm\n\n") - print("Malcolm services can be accessed via the following URLs:") - print("------------------------------------------------------------------------------") - print(" - Arkime: https://localhost/") - print(" - OpenSearch Dashboards: https://localhost/dashboards/") - print(" - PCAP upload (web): https://localhost/upload/") - print(" - PCAP upload (sftp): sftp://username@127.0.0.1:8022/files/") - print(" - Host and subnet name mapping editor: https://localhost/name-map-ui/") - print(" - NetBox: https://localhost/netbox/\n") - print(" - Account management: https://localhost:488/\n") - print(" - Documentation: https://localhost/readme/\n") - - process.poll() + process.poll() ################################################################################################### @@ -657,88 +789,117 @@ def stop(wipe=False): global dockerBin global dockerComposeBin global dockerComposeYaml + global orchMode - # docker-compose use local temporary path - osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath + if orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # docker-compose use local temporary path + osEnv = os.environ.copy() + osEnv['TMPDIR'] = MalcolmTmpPath - # if stop.sh is being called with wipe.sh (after the docker-compose file) - # then also remove named and anonymous volumes (not external volumes, of course) - err, out = run_process( - [dockerComposeBin, '-f', args.composeFile, 'down', '--volumes'][: 5 if wipe else -1], - env=osEnv, - debug=args.debug, - ) - if err == 0: - eprint("Stopped Malcolm\n") - else: - eprint("Malcolm failed to stop\n") - eprint("\n".join(out)) - exit(err) - - if wipe: - # there is some overlap here among some of these containers, but it doesn't matter - boundPathsToWipe = ( - BoundPath("arkime", "/opt/arkime/logs", True, None, None), - BoundPath("arkime", "/opt/arkime/raw", True, None, None), - BoundPath("filebeat", "/zeek", True, None, None), - BoundPath("file-monitor", "/zeek/logs", True, None, None), - BoundPath("netbox", "/opt/netbox/netbox/media", True, None, ["."]), - BoundPath("netbox-postgres", "/var/lib/postgresql/data", True, None, ["."]), - BoundPath("netbox-redis", "/data", True, None, ["."]), - BoundPath("opensearch", "/usr/share/opensearch/data", True, ["nodes"], None), - BoundPath("pcap-monitor", "/pcap", True, ["processed", "upload"], None), - BoundPath("suricata", "/var/log/suricata", True, None, ["."]), - BoundPath("upload", "/var/www/upload/server/php/chroot/files", True, None, None), - BoundPath("zeek", "/zeek/extract_files", True, None, None), - BoundPath("zeek", "/zeek/upload", True, None, None), - BoundPath("zeek-live", "/zeek/live", True, ["spool"], None), - BoundPath( - "filebeat", - "/zeek", - False, - ["processed", "current", "live"], - ["processed", "current", "live"], - ), + # if stop.sh is being called with wipe.sh (after the docker-compose file) + # then also remove named and anonymous volumes (not external volumes, of course) + err, out = run_process( + [dockerComposeBin, '-f', args.composeFile, 'down', '--volumes'][: 5 if wipe else -1], + env=osEnv, + debug=args.debug, ) - for boundPath in boundPathsToWipe: - localPath = LocalPathForContainerBindMount( - boundPath.service, - dockerComposeYaml, - boundPath.container_dir, - MalcolmPath, + if err == 0: + eprint("Stopped Malcolm\n") + else: + eprint("Malcolm failed to stop\n") + eprint("\n".join(out)) + exit(err) + + if wipe: + # there is some overlap here among some of these containers, but it doesn't matter + boundPathsToWipe = ( + BoundPath("arkime", "/opt/arkime/logs", True, None, None), + BoundPath("arkime", "/opt/arkime/raw", True, None, None), + BoundPath("filebeat", "/zeek", True, None, None), + BoundPath("file-monitor", "/zeek/logs", True, None, None), + BoundPath("netbox", "/opt/netbox/netbox/media", True, None, ["."]), + BoundPath("netbox-postgres", "/var/lib/postgresql/data", True, None, ["."]), + BoundPath("netbox-redis", "/data", True, None, ["."]), + BoundPath("opensearch", "/usr/share/opensearch/data", True, ["nodes"], None), + BoundPath("pcap-monitor", "/pcap", True, ["processed", "upload"], None), + BoundPath("suricata", "/var/log/suricata", True, None, ["."]), + BoundPath("upload", "/var/www/upload/server/php/chroot/files", True, None, None), + BoundPath("zeek", "/zeek/extract_files", True, None, None), + BoundPath("zeek", "/zeek/upload", True, None, None), + BoundPath("zeek-live", "/zeek/live", True, ["spool"], None), + BoundPath( + "filebeat", + "/zeek", + False, + ["processed", "current", "live"], + ["processed", "current", "live"], + ), ) - if localPath and os.path.isdir(localPath): - # delete files - if boundPath.files: - if args.debug: - eprint(f'Walking "{localPath}" for file deletion') - for root, dirnames, filenames in os.walk(localPath, topdown=True, onerror=None): - for file in filenames: - fileSpec = os.path.join(root, file) - if (os.path.isfile(fileSpec) or os.path.islink(fileSpec)) and (not file.startswith('.git')): - try: - os.remove(fileSpec) - except: - pass - # delete whole directories - if boundPath.relative_dirs: - for relDir in GetIterable(boundPath.relative_dirs): - tmpPath = os.path.join(localPath, relDir) - if os.path.isdir(tmpPath): - if args.debug: - eprint(f'Performing rmtree on "{tmpPath}"') - shutil.rmtree(tmpPath, ignore_errors=True) - # cleanup empty directories - if boundPath.clean_empty_dirs: - for cleanDir in GetIterable(boundPath.clean_empty_dirs): - tmpPath = os.path.join(localPath, cleanDir) - if os.path.isdir(tmpPath): - if args.debug: - eprint(f'Performing RemoveEmptyFolders on "{tmpPath}"') - RemoveEmptyFolders(tmpPath, removeRoot=False) + for boundPath in boundPathsToWipe: + localPath = LocalPathForContainerBindMount( + boundPath.service, + dockerComposeYaml, + boundPath.container_dir, + MalcolmPath, + ) + if localPath and os.path.isdir(localPath): + # delete files + if boundPath.files: + if args.debug: + eprint(f'Walking "{localPath}" for file deletion') + for root, dirnames, filenames in os.walk(localPath, topdown=True, onerror=None): + for file in filenames: + fileSpec = os.path.join(root, file) + if (os.path.isfile(fileSpec) or os.path.islink(fileSpec)) and ( + not file.startswith('.git') + ): + try: + os.remove(fileSpec) + except Exception: + pass + # delete whole directories + if boundPath.relative_dirs: + for relDir in get_iterable(boundPath.relative_dirs): + tmpPath = os.path.join(localPath, relDir) + if os.path.isdir(tmpPath): + if args.debug: + eprint(f'Performing rmtree on "{tmpPath}"') + shutil.rmtree(tmpPath, ignore_errors=True) + # cleanup empty directories + if boundPath.clean_empty_dirs: + for cleanDir in get_iterable(boundPath.clean_empty_dirs): + tmpPath = os.path.join(localPath, cleanDir) + if os.path.isdir(tmpPath): + if args.debug: + eprint(f'Performing RemoveEmptyFolders on "{tmpPath}"') + RemoveEmptyFolders(tmpPath, removeRoot=False) + + eprint("Malcolm has been stopped and its data cleared\n") + + elif orchMode is OrchestrationFramework.KUBERNETES: + deleteResults = DeleteNamespace( + namespace=args.namespace, + deleteRetPerVol=args.deleteRetPerVol, + ) + + if dictsearch(deleteResults, 'error'): + eprint( + f"Deleting {args.namespace} namespace and its underlying resources returned the following error(s):\n" + ) + eprint(deleteResults) + eprint() - eprint("Malcolm has been stopped and its data cleared\n") + else: + eprint(f"The {args.namespace} namespace and its underlying resources have been deleted\n") + if args.debug: + eprint(deleteResults) + eprint() + + if wipe: + eprint(f'Data on PersistentVolume storage cannot be deleted by {ScriptName}: it must be deleted manually\n') + + else: + raise Exception(f'{sys._getframe().f_code.co_name} does not yet support {orchMode}') ################################################################################################### @@ -746,6 +907,7 @@ def start(): global args global dockerBin global dockerComposeBin + global orchMode # touch the htadmin metadata file and .opensearch.*.curlrc files open(os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata')), 'a').close() @@ -754,11 +916,11 @@ def start(): # make sure the auth files exist. if we are in an interactive shell and we're # missing any of the auth files, prompt to create them now - if sys.__stdin__.isatty() and (not MalcolmAuthFilesExist()): + if sys.__stdin__.isatty() and (not MalcolmAuthFilesExist(configDir=args.configDir)): authSetup() # still missing? sorry charlie - if not MalcolmAuthFilesExist(): + if not MalcolmAuthFilesExist(configDir=args.configDir): raise Exception( 'Malcolm administrator account authentication files are missing, please run ./scripts/auth_setup to generate them' ) @@ -779,63 +941,13 @@ def start(): os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf')), os.path.join(MalcolmPath, '.opensearch.primary.curlrc'), os.path.join(MalcolmPath, '.opensearch.secondary.curlrc'), - os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'netbox.env'))), - os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'postgres.env'))), - os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'redis-cache.env'))), - os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'redis.env'))), ]: # chmod 600 authFile os.chmod(authFile, stat.S_IRUSR | stat.S_IWUSR) - - # make sure some directories exist before we start - boundPathsToCreate = ( - BoundPath("arkime", "/opt/arkime/logs", False, None, None), - BoundPath("arkime", "/opt/arkime/raw", False, None, None), - BoundPath("file-monitor", "/zeek/logs", False, None, None), - BoundPath("nginx-proxy", "/var/local/ca-trust", False, None, None), - BoundPath("netbox", "/opt/netbox/netbox/media", False, None, None), - BoundPath("netbox-postgres", "/var/lib/postgresql/data", False, None, None), - BoundPath("netbox-redis", "/data", False, None, None), - BoundPath("opensearch", "/usr/share/opensearch/data", False, ["nodes"], None), - BoundPath("opensearch", "/opt/opensearch/backup", False, None, None), - BoundPath("pcap-monitor", "/pcap", False, ["processed", "upload"], None), - BoundPath("suricata", "/var/log/suricata", False, ["live"], None), - BoundPath("upload", "/var/www/upload/server/php/chroot/files", False, None, None), - BoundPath("zeek", "/zeek/extract_files", False, None, None), - BoundPath("zeek", "/zeek/upload", False, None, None), - BoundPath("zeek", "/opt/zeek/share/zeek/site/intel", False, ["MISP", "STIX"], None), - BoundPath("zeek-live", "/zeek/live", False, ["spool"], None), - BoundPath("filebeat", "/zeek", False, ["processed", "current", "live", "extract_files", "upload"], None), - ) - for boundPath in boundPathsToCreate: - localPath = LocalPathForContainerBindMount( - boundPath.service, - dockerComposeYaml, - boundPath.container_dir, - MalcolmPath, - ) - if localPath: - try: - if args.debug: - eprint(f'Ensuring "{localPath}" exists') - os.makedirs(localPath) - except OSError as exc: - if (exc.errno == errno.EEXIST) and os.path.isdir(localPath): - pass - else: - raise - if boundPath.relative_dirs: - for relDir in GetIterable(boundPath.relative_dirs): - tmpPath = os.path.join(localPath, relDir) - try: - if args.debug: - eprint(f'Ensuring "{tmpPath}" exists') - os.makedirs(tmpPath) - except OSError as exc: - if (exc.errno == errno.EEXIST) and os.path.isdir(tmpPath): - pass - else: - raise + with pushd(args.configDir): + for envFile in glob.glob("*.env"): + # chmod 600 envFile + os.chmod(envFile, stat.S_IRUSR | stat.S_IWUSR) # touch the zeek intel file open(os.path.join(MalcolmPath, os.path.join('zeek', os.path.join('intel', '__load__.zeek'))), 'a').close() @@ -843,25 +955,111 @@ def start(): # clean up any leftover intel update locks shutil.rmtree(os.path.join(MalcolmPath, os.path.join('zeek', os.path.join('intel', 'lock'))), ignore_errors=True) - # increase COMPOSE_HTTP_TIMEOUT to be ridiculously large so docker-compose never times out the TTY doing debug output - osEnv = os.environ.copy() - osEnv['COMPOSE_HTTP_TIMEOUT'] = '100000000' - # docker-compose use local temporary path - osEnv['TMPDIR'] = MalcolmTmpPath + if orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # make sure some directories exist before we start + boundPathsToCreate = ( + BoundPath("arkime", "/opt/arkime/logs", False, None, None), + BoundPath("arkime", "/opt/arkime/raw", False, None, None), + BoundPath("file-monitor", "/zeek/logs", False, None, None), + BoundPath("nginx-proxy", "/var/local/ca-trust", False, None, None), + BoundPath("netbox", "/opt/netbox/netbox/media", False, None, None), + BoundPath("netbox-postgres", "/var/lib/postgresql/data", False, None, None), + BoundPath("netbox-redis", "/data", False, None, None), + BoundPath("opensearch", "/usr/share/opensearch/data", False, ["nodes"], None), + BoundPath("opensearch", "/opt/opensearch/backup", False, None, None), + BoundPath("pcap-monitor", "/pcap", False, ["processed", "upload"], None), + BoundPath("suricata", "/var/log/suricata", False, ["live"], None), + BoundPath("upload", "/var/www/upload/server/php/chroot/files", False, None, None), + BoundPath("zeek", "/zeek/extract_files", False, None, None), + BoundPath("zeek", "/zeek/upload", False, None, None), + BoundPath("zeek", "/opt/zeek/share/zeek/site/intel", False, ["MISP", "STIX"], None), + BoundPath("zeek-live", "/zeek/live", False, ["spool"], None), + BoundPath("filebeat", "/zeek", False, ["processed", "current", "live", "extract_files", "upload"], None), + ) + for boundPath in boundPathsToCreate: + localPath = LocalPathForContainerBindMount( + boundPath.service, + dockerComposeYaml, + boundPath.container_dir, + MalcolmPath, + ) + if localPath: + try: + if args.debug: + eprint(f'Ensuring "{localPath}" exists') + os.makedirs(localPath) + except OSError as exc: + if (exc.errno == errno.EEXIST) and os.path.isdir(localPath): + pass + else: + raise + if boundPath.relative_dirs: + for relDir in get_iterable(boundPath.relative_dirs): + tmpPath = os.path.join(localPath, relDir) + try: + if args.debug: + eprint(f'Ensuring "{tmpPath}" exists') + os.makedirs(tmpPath) + except OSError as exc: + if (exc.errno == errno.EEXIST) and os.path.isdir(tmpPath): + pass + else: + raise + + # increase COMPOSE_HTTP_TIMEOUT to be ridiculously large so docker-compose never times out the TTY doing debug output + osEnv = os.environ.copy() + osEnv['COMPOSE_HTTP_TIMEOUT'] = '100000000' + # docker-compose use local temporary path + osEnv['TMPDIR'] = MalcolmTmpPath + + # start docker + err, out = run_process( + [dockerComposeBin, '-f', args.composeFile, 'up', '--detach'], env=osEnv, debug=args.debug + ) + if err != 0: + eprint("Malcolm failed to start\n") + eprint("\n".join(out)) + exit(err) + + elif orchMode is OrchestrationFramework.KUBERNETES: + if CheckPersistentStorageDefs( + namespace=args.namespace, + malcolmPath=MalcolmPath, + ): + startResults = StartMalcolm( + namespace=args.namespace, + malcolmPath=MalcolmPath, + configPath=args.configDir, + ) + + if dictsearch(startResults, 'error'): + eprint( + f"Starting the {args.namespace} namespace and creating its underlying resources returned the following error(s):\n" + ) + eprint(startResults) + eprint() + + elif args.debug: + eprint() + eprint(startResults) + eprint() + + else: + groupedStorageEntries = { + i: [j[0] for j in j] + for i, j in groupby(sorted(REQUIRED_VOLUME_OBJECTS.items(), key=lambda x: x[1]), lambda x: x[1]) + } + raise Exception( + f'Storage objects required by Malcolm are not defined in {os.path.join(MalcolmPath, "kubernetes")}: {groupedStorageEntries}' + ) - # start docker - err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'up', '--detach'], env=osEnv, debug=args.debug) - if err != 0: - eprint("Malcolm failed to start\n") - eprint("\n".join(out)) - exit(err) + else: + raise Exception(f'{sys._getframe().f_code.co_name} does not yet support {orchMode}') ################################################################################################### def authSetup(wipe=False): global args - global dockerBin - global dockerComposeBin global opensslBin # for beats/logstash self-signed certificates @@ -869,8 +1067,8 @@ def authSetup(wipe=False): filebeatPath = os.path.join(MalcolmPath, os.path.join('filebeat', 'certs')) txRxScript = None - if (pyPlatform != PLATFORM_WINDOWS) and Which("croc"): - txRxScript = 'tx-rx-secure.sh' if Which('tx-rx-secure.sh') else None + if (pyPlatform != PLATFORM_WINDOWS) and which("croc"): + txRxScript = 'tx-rx-secure.sh' if which('tx-rx-secure.sh') else None if not txRxScript: txRxScript = os.path.join( MalcolmPath, os.path.join('shared', os.path.join('bin', os.path.join('tx-rx-secure.sh'))) @@ -921,7 +1119,9 @@ def authSetup(wipe=False): 'netbox', "(Re)generate internal passwords for NetBox", False, - not os.path.isfile(os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'netbox.env')))), + not os.path.isfile( + os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'netbox-secret.env'))) + ), ), ( 'txfwcerts', @@ -960,7 +1160,7 @@ def authSetup(wipe=False): eprint("Passwords do not match") # get previous admin username to remove from htpasswd file if it's changed - authEnvFile = os.path.join(MalcolmPath, 'auth.env') + authEnvFile = os.path.join(args.configDir, 'auth.env') if os.path.isfile(authEnvFile): prevAuthInfo = defaultdict(str) with open(authEnvFile, 'r') as f: @@ -968,14 +1168,17 @@ def authSetup(wipe=False): try: k, v = line.rstrip().split("=") prevAuthInfo[k] = v.strip('"') - except: + except Exception: pass if len(prevAuthInfo['MALCOLM_USERNAME']) > 0: usernamePrevious = prevAuthInfo['MALCOLM_USERNAME'] # get openssl hash of password err, out = run_process( - [opensslBin, 'passwd', '-1', '-stdin'], stdin=password, stderr=False, debug=args.debug + [opensslBin, 'passwd', '-1', '-stdin'], + stdin=password, + stderr=False, + debug=args.debug, ) if (err == 0) and (len(out) > 0) and (len(out[0]) > 0): passwordEncrypted = out[0] @@ -989,6 +1192,7 @@ def authSetup(wipe=False): ) f.write(f'MALCOLM_USERNAME={username}\n') f.write(f'MALCOLM_PASSWORD={b64encode(passwordEncrypted.encode()).decode("ascii")}\n') + f.write('K8S_SECRET=True\n') os.chmod(authEnvFile, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) # create or update the htpasswd file @@ -1021,7 +1225,7 @@ def authSetup(wipe=False): try: k, v = line.rstrip().split("=") ldapDefaults[k] = v.strip('"').strip("'") - except: + except Exception: pass ldapProto = ldapDefaults.get("LDAP_PROTO", "ldap://") ldapHost = ldapDefaults.get("LDAP_HOST", "ds.example.com") @@ -1063,7 +1267,7 @@ def authSetup(wipe=False): f.write('; Change this to customize your title:\n') f.write('app_title = Malcolm User Management\n\n') f.write('; htpasswd file\n') - f.write('secure_path = ./config/htpasswd\n') + f.write('secure_path = ./auth/htpasswd\n') f.write('; metadata file\n') f.write('metadata_path = ./config/metadata\n\n') f.write('; administrator user/password (htpasswd -b -c -B ...)\n') @@ -1071,17 +1275,17 @@ def authSetup(wipe=False): f.write('; username field quality checks\n') f.write(';\n') f.write('min_username_len = 4\n') - f.write('max_username_len = 12\n\n') + f.write('max_username_len = 32\n\n') f.write('; Password field quality checks\n') f.write(';\n') - f.write('min_password_len = 6\n') - f.write('max_password_len = 20\n\n') + f.write('min_password_len = 8\n') + f.write('max_password_len = 128\n\n') # touch the metadata file open(os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata')), 'a').close() DisplayMessage( - f'Additional local accounts can be created at https://localhost:488/ when Malcolm is running', + 'Additional local accounts can be created at https://localhost/auth/ when Malcolm is running', ) # generate HTTPS self-signed certificates @@ -1093,7 +1297,9 @@ def authSetup(wipe=False): # generate dhparam ------------------------------- err, out = run_process( - [opensslBin, 'dhparam', '-out', 'dhparam.pem', '2048'], stderr=True, debug=args.debug + [opensslBin, 'dhparam', '-out', 'dhparam.pem', '2048'], + stderr=True, + debug=args.debug, ) if err != 0: raise Exception(f'Unable to generate dhparam.pem file: {out}') @@ -1133,7 +1339,9 @@ def authSetup(wipe=False): # generate new ca/server/client certificates/keys # ca ------------------------------- err, out = run_process( - [opensslBin, 'genrsa', '-out', 'ca.key', '2048'], stderr=True, debug=args.debug + [opensslBin, 'genrsa', '-out', 'ca.key', '2048'], + stderr=True, + debug=args.debug, ) if err != 0: raise Exception(f'Unable to generate ca.key: {out}') @@ -1163,7 +1371,9 @@ def authSetup(wipe=False): # server ------------------------------- err, out = run_process( - [opensslBin, 'genrsa', '-out', 'server.key', '2048'], stderr=True, debug=args.debug + [opensslBin, 'genrsa', '-out', 'server.key', '2048'], + stderr=True, + debug=args.debug, ) if err != 0: raise Exception(f'Unable to generate server.key: {out}') @@ -1226,7 +1436,9 @@ def authSetup(wipe=False): # client ------------------------------- err, out = run_process( - [opensslBin, 'genrsa', '-out', 'client.key', '2048'], stderr=True, debug=args.debug + [opensslBin, 'genrsa', '-out', 'client.key', '2048'], + stderr=True, + debug=args.debug, ) if err != 0: raise Exception(f'Unable to generate client.key: {out}') @@ -1346,7 +1558,7 @@ def authSetup(wipe=False): eprint("Passwords do not match") esSslVerify = YesOrNo( - f'Require SSL certificate validation for OpenSearch communication?', + 'Require SSL certificate validation for OpenSearch communication?', default=(not (('k' in prevCurlContents) or ('insecure' in prevCurlContents))), ) @@ -1358,7 +1570,7 @@ def authSetup(wipe=False): else: try: os.remove(openSearchCredFileName) - except: + except Exception: pass open(openSearchCredFileName, 'a').close() os.chmod(openSearchCredFileName, stat.S_IRUSR | stat.S_IWUSR) @@ -1404,7 +1616,7 @@ def authSetup(wipe=False): eprint("\n".join(results)) elif authItem[0] == 'netbox': - with pushd(os.path.join(MalcolmPath, os.path.join('netbox', 'env'))): + with pushd(args.configDir): netboxPwAlphabet = string.ascii_letters + string.digits + '_' netboxKeyAlphabet = string.ascii_letters + string.digits + '%@<=>?~^_-' netboxPostGresPassword = ''.join(secrets.choice(netboxPwAlphabet) for i in range(24)) @@ -1414,24 +1626,27 @@ def authSetup(wipe=False): netboxSuToken = ''.join(secrets.choice(netboxPwAlphabet) for i in range(40)) netboxSecretKey = ''.join(secrets.choice(netboxKeyAlphabet) for i in range(50)) - with open('postgres.env', 'w') as f: + with open('netbox-postgres.env', 'w') as f: f.write('POSTGRES_DB=netbox\n') f.write(f'POSTGRES_PASSWORD={netboxPostGresPassword}\n') f.write('POSTGRES_USER=netbox\n') - os.chmod('postgres.env', stat.S_IRUSR | stat.S_IWUSR) + f.write('K8S_SECRET=True\n') + os.chmod('netbox-postgres.env', stat.S_IRUSR | stat.S_IWUSR) - with open('redis-cache.env', 'w') as f: + with open('netbox-redis-cache.env', 'w') as f: f.write(f'REDIS_PASSWORD={netboxRedisCachePassword}\n') - os.chmod('redis-cache.env', stat.S_IRUSR | stat.S_IWUSR) + f.write('K8S_SECRET=True\n') + os.chmod('netbox-redis-cache.env', stat.S_IRUSR | stat.S_IWUSR) - with open('redis.env', 'w') as f: + with open('netbox-redis.env', 'w') as f: f.write(f'REDIS_PASSWORD={netboxRedisPassword}\n') - os.chmod('redis.env', stat.S_IRUSR | stat.S_IWUSR) + f.write('K8S_SECRET=True\n') + os.chmod('netbox-redis.env', stat.S_IRUSR | stat.S_IWUSR) - if (not os.path.isfile('netbox.env')) and (os.path.isfile('netbox.env.example')): - shutil.copy2('netbox.env.example', 'netbox.env') + if (not os.path.isfile('netbox-secret.env')) and (os.path.isfile('netbox-secret.env.example')): + shutil.copy2('netbox-secret.env.example', 'netbox-secret.env') - with fileinput.FileInput('netbox.env', inplace=True, backup=None) as envFile: + with fileinput.FileInput('netbox-secret.env', inplace=True, backup=None) as envFile: for line in envFile: line = line.rstrip("\n") @@ -1471,14 +1686,20 @@ def authSetup(wipe=False): fr"\g<1>{netboxSuToken}", line, ) + elif line.startswith('K8S_SECRET'): + line = re.sub( + r'(SUPERUSER_API_TOKEN\s*=\s*)(\S+)', + fr"\g<1>True", + line, + ) print(line) - os.chmod('netbox.env', stat.S_IRUSR | stat.S_IWUSR) + os.chmod('netbox-secret.env', stat.S_IRUSR | stat.S_IWUSR) elif authItem[0] == 'txfwcerts': DisplayMessage( - f'Run configure-capture on the remote log forwarder, select "Configure Forwarding," then "Receive client SSL files..."', + 'Run configure-capture on the remote log forwarder, select "Configure Forwarding," then "Receive client SSL files..."', ) with pushd(filebeatPath): with Popen( @@ -1512,9 +1733,13 @@ def main(): global args global dockerBin global dockerComposeBin + global dockerComposeYaml + global kubeImported global opensslBin + global orchMode + global shuttingDown global yamlImported - global dockerComposeYaml + global dotenvImported # extract arguments from the command line # print (sys.argv[1:]); @@ -1541,7 +1766,27 @@ def main(): metavar='', type=str, default='docker-compose.yml', - help='docker-compose YML file', + help='docker-compose or kubeconfig YML file', + ) + parser.add_argument( + '-e', + '--environment-dir', + required=False, + dest='configDir', + metavar='', + type=str, + default=None, + help="Directory containing Malcolm's .env files", + ) + parser.add_argument( + '-n', + '--namespace', + required=False, + dest='namespace', + metavar='', + type=str, + default='malcolm', + help="Kubernetes namespace", ) parser.add_argument( '-s', @@ -1564,7 +1809,6 @@ def main(): help="Tail Malcolm logs", ) parser.add_argument( - '-n', '--lines', dest='logLineCount', type=posInt, @@ -1627,6 +1871,19 @@ def main(): default=False, help="Stop Malcolm and delete all data", ) + parser.add_argument( + '--reclaim-persistent-volume', + dest='deleteRetPerVol', + action='store_true', + help='Delete PersistentVolumes with Retain reclaim policy (default; only for "stop" operation with Kubernetes)', + ) + parser.add_argument( + '--no-reclaim-persistent-volume', + dest='deleteRetPerVol', + action='store_false', + help='Do not delete PersistentVolumes with Retain reclaim policy (only for "stop" operation with Kubernetes)', + ) + parser.set_defaults(deleteRetPerVol=True) parser.add_argument( '--auth', dest='cmdAuthSetup', @@ -1645,6 +1902,15 @@ def main(): default=False, help="Display status of Malcolm components", ) + parser.add_argument( + '--urls', + dest='cmdPrintURLs', + type=str2bool, + nargs='?', + const=True, + default=False, + help="Display Malcolm URLs", + ) try: parser.error = parser.exit @@ -1661,12 +1927,25 @@ def main(): else: sys.tracebacklimit = 0 + # handle sigint and sigterm for graceful shutdown + signal.signal(signal.SIGINT, shutdown_handler) + signal.signal(signal.SIGTERM, shutdown_handler) + yamlImported = YAMLDynamic(debug=args.debug) if args.debug: eprint(f"Imported yaml: {yamlImported}") if not yamlImported: exit(2) + dotenvImported = DotEnvDynamic(debug=args.debug) + if args.debug: + eprint(f"Imported dotenv: {dotenvImported}") + if not dotenvImported: + exit(2) + + if not ((orchMode := DetermineYamlFileFormat(args.composeFile)) and (orchMode in OrchestrationFrameworksSupported)): + raise Exception(f'{args.composeFile} must be a docker-compose or kubeconfig YAML file') + with pushd(MalcolmPath): # don't run this as root if (pyPlatform != PLATFORM_WINDOWS) and ( @@ -1674,6 +1953,22 @@ def main(): ): raise Exception(f'{ScriptName} should not be run as root') + # if .env directory is unspecified, use the default ./config directory + for firstLoop in (True, False): + if (args.configDir is None) or (not os.path.isdir(args.configDir)): + if firstLoop: + if args.configDir is None: + args.configDir = os.path.join(MalcolmPath, 'config') + try: + os.makedirs(args.configDir) + except OSError as exc: + if (exc.errno == errno.EEXIST) and os.path.isdir(args.configDir): + pass + else: + raise + else: + raise Exception("Could not determine configuration directory containing Malcolm's .env files") + # create local temporary directory for docker-compose because we may have noexec on /tmp try: os.makedirs(MalcolmTmpPath) @@ -1687,35 +1982,47 @@ def main(): osEnv = os.environ.copy() osEnv['TMPDIR'] = MalcolmTmpPath - # make sure docker/docker-compose is available - dockerBin = 'docker.exe' if ((pyPlatform == PLATFORM_WINDOWS) and Which('docker.exe')) else 'docker' - if (pyPlatform == PLATFORM_WINDOWS) and Which('docker-compose.exe'): - dockerComposeBin = 'docker-compose.exe' - elif Which('docker-compose'): - dockerComposeBin = 'docker-compose' - elif os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'): - dockerComposeBin = '/usr/libexec/docker/cli-plugins/docker-compose' - elif os.path.isfile('/usr/local/opt/docker-compose/bin/docker-compose'): - dockerComposeBin = '/usr/local/opt/docker-compose/bin/docker-compose' - elif os.path.isfile('/usr/local/bin/docker-compose'): - dockerComposeBin = '/usr/local/bin/docker-compose' - elif os.path.isfile('/usr/bin/docker-compose'): - dockerComposeBin = '/usr/bin/docker-compose' - else: - dockerComposeBin = 'docker-compose' - err, out = run_process([dockerBin, 'info'], debug=args.debug) - if err != 0: - raise Exception(f'{ScriptName} requires docker, please run install.py') - err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'version'], env=osEnv, debug=args.debug) - if err != 0: - raise Exception(f'{ScriptName} requires docker-compose, please run install.py') - - # load compose file YAML (used to find some volume bind mount locations) - with open(args.composeFile, 'r') as cf: - dockerComposeYaml = yamlImported.safe_load(cf) + if orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # make sure docker/docker-compose is available + dockerBin = 'docker.exe' if ((pyPlatform == PLATFORM_WINDOWS) and which('docker.exe')) else 'docker' + if (pyPlatform == PLATFORM_WINDOWS) and which('docker-compose.exe'): + dockerComposeBin = 'docker-compose.exe' + elif which('docker-compose'): + dockerComposeBin = 'docker-compose' + elif os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'): + dockerComposeBin = '/usr/libexec/docker/cli-plugins/docker-compose' + elif os.path.isfile('/usr/local/opt/docker-compose/bin/docker-compose'): + dockerComposeBin = '/usr/local/opt/docker-compose/bin/docker-compose' + elif os.path.isfile('/usr/local/bin/docker-compose'): + dockerComposeBin = '/usr/local/bin/docker-compose' + elif os.path.isfile('/usr/bin/docker-compose'): + dockerComposeBin = '/usr/bin/docker-compose' + else: + dockerComposeBin = 'docker-compose' + err, out = run_process([dockerBin, 'info'], debug=args.debug) + if err != 0: + raise Exception(f'{ScriptName} requires docker, please run install.py') + err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'version'], env=osEnv, debug=args.debug) + if err != 0: + raise Exception(f'{ScriptName} requires docker-compose, please run install.py') + + # load compose file YAML (used to find some volume bind mount locations) + with open(args.composeFile, 'r') as cf: + dockerComposeYaml = yamlImported.safe_load(cf) + + elif orchMode is OrchestrationFramework.KUBERNETES: + kubeImported = KubernetesDynamic(debug=args.debug) + if args.debug: + eprint(f"Imported kubernetes: {kubeImported}") + if kubeImported: + kubeImported.config.load_kube_config(args.composeFile) + else: + raise Exception( + f'{ScriptName} requires the official Python client library for kubernetes for {orchMode} mode' + ) # identify openssl binary - opensslBin = 'openssl.exe' if ((pyPlatform == PLATFORM_WINDOWS) and Which('openssl.exe')) else 'openssl' + opensslBin = 'openssl.exe' if ((pyPlatform == PLATFORM_WINDOWS) and which('openssl.exe')) else 'openssl' # if executed via a symlink, figure out what was intended via the symlink name if os.path.islink(os.path.join(ScriptPath, ScriptName)): @@ -1738,7 +2045,11 @@ def main(): elif ScriptName == "netbox-restore" and ( (not args.netboxRestoreFile) or (not os.path.isfile(args.netboxRestoreFile)) ): - raise Exception(f'NetBox configuration database file must be specified with --netbox-restore') + raise Exception('NetBox configuration database file must be specified with --netbox-restore') + + # the compose file references various .env files in just about every operation this script does, + # so make sure they exist right off the bat + checkEnvFilesExist() # stop Malcolm (and wipe data if requestsed) if args.cmdRestart or args.cmdStop or args.cmdWipe: @@ -1760,6 +2071,10 @@ def main(): if args.cmdStatus: status() + # display Malcolm URLS + if args.cmdPrintURLs: + printURLs() + # backup NetBox files if args.netboxBackupFile is not None: print(f"NetBox configuration database saved to {netboxBackup(args.netboxBackupFile)}") diff --git a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh b/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh index 4ed3b5999..bc765d011 100755 --- a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh +++ b/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh @@ -559,6 +559,7 @@ function InstallMalcolm { "LOGSTASH_REVERSE_DNS:'true'" "LOGSTASH_SEVERITY_SCORING:'true'" "PCAP_PIPELINE_IGNORE_PREEXISTING:'true'" + "PCAP_PIPELINE_POLLING:'true'" "YARA_MAX_REQUESTS:4" "ZEEK_AUTO_ANALYZE_PCAP_FILES:'true'" "ZEEK_DISABLE_BEST_GUESS_ICS:''" @@ -572,7 +573,8 @@ function InstallMalcolm { sed -i "s/\(^[[:space:]]*$KEY[[:space:]]*:[[:space:]]*\).*/\1$VALUE/g" "$CONFIG" done done - touch auth.env + mkdir -p ./config + touch ./config/auth.env grep image: docker-compose-standalone.yml | awk '{print $2}' | sort -u | xargs -l -r $SUDO_CMD docker pull echo "Please run $MALCOLM_PATH/scripts/auth_setup to complete configuration" >&2 popd >/dev/null 2>&1 diff --git a/scripts/demo/reset_and_auto_populate.sh b/scripts/demo/reset_and_auto_populate.sh index dd1997303..732646f48 100755 --- a/scripts/demo/reset_and_auto_populate.sh +++ b/scripts/demo/reset_and_auto_populate.sh @@ -319,7 +319,7 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \ # get the total number of session records in the database NEW_LOG_COUNT=$(( docker-compose -f "$MALCOLM_FILE" exec -u $(id -u) -T api \ - curl -sSL "http://localhost:5000/agg/event.provider?from=1970" | \ + curl -sSL "http://localhost:5000/mapi/agg/event.provider?from=1970" | \ jq -r '.. | .buckets? // empty | .[] | objects | [.doc_count] | join ("")' | \ awk '{s+=$1} END {print s}') 2>/dev/null ) if [[ $NEW_LOG_COUNT =~ $NUMERIC_REGEX ]] ; then @@ -370,7 +370,7 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \ sleep 5 docker-compose -f "$MALCOLM_FILE" exec -T dashboards-helper /data/opensearch_read_only.py -i _cluster sleep 5 - for CONTAINER in filebeat logstash upload pcap-monitor zeek name-map-ui pcap-capture freq; do + for CONTAINER in filebeat logstash upload pcap-monitor zeek pcap-capture freq; do docker-compose -f "$MALCOLM_FILE" pause "$CONTAINER" || true done sleep 5 diff --git a/scripts/install.py b/scripts/install.py index b43fad343..48e1596b8 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -5,6 +5,7 @@ import argparse import datetime +import errno import fileinput import getpass import glob @@ -27,7 +28,46 @@ getpwuid = None from collections import defaultdict, namedtuple -from malcolm_common import * +from malcolm_common import ( + AskForString, + ChooseMultiple, + ChooseOne, + DetermineYamlFileFormat, + DisplayMessage, + DOCKER_COMPOSE_INSTALL_URLS, + DOCKER_INSTALL_URLS, + DotEnvDynamic, + DownloadToFile, + HOMEBREW_INSTALL_URLS, + KubernetesDynamic, + MalcolmCfgRunOnceFile, + MalcolmPath, + OrchestrationFramework, + OrchestrationFrameworksSupported, + PLATFORM_LINUX, + PLATFORM_LINUX_CENTOS, + PLATFORM_LINUX_DEBIAN, + PLATFORM_LINUX_FEDORA, + PLATFORM_LINUX_UBUNTU, + PLATFORM_MAC, + PLATFORM_WINDOWS, + ReplaceBindMountLocation, + RequestsDynamic, + ScriptPath, + UserInputDefaultsBehavior, + UserInterfaceMode, + YAMLDynamic, + YesOrNo, +) +from malcolm_utils import ( + deep_get, + eprint, + run_process, + same_file_or_dir, + str2bool, + touch, + which, +) ################################################################################################### DOCKER_COMPOSE_INSTALL_VERSION = "2.14.2" @@ -37,6 +77,9 @@ MAC_BREW_DOCKER_PACKAGE = 'docker-edge' MAC_BREW_DOCKER_SETTINGS = '/Users/{}/Library/Group Containers/group.com.docker/settings.json' +LOGSTASH_JAVA_OPTS_DEFAULT = '-server -Xms2g -Xmx2g -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true' +OPENSEARCH_JAVA_OPTS_DEFAULT = '-server -Xms4g -Xmx4g -Xss256k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true' + ################################################################################################### ScriptName = os.path.basename(__file__) origPath = os.getcwd() @@ -46,6 +89,12 @@ args = None requests_imported = None yaml_imported = None +kube_imported = None +dotenv_imported = None + +################################################################################################### +TrueOrFalseQuote = lambda x: "'true'" if x else "'false'" +TrueOrFalseNoQuote = lambda x: 'true' if x else 'false' ################################################################################################### @@ -156,14 +205,11 @@ def InstallerDisplayMessage( ) -def TrueOrFalseQuote(expression, falseIsBlank=False): - return "'{}'".format('true' if expression else '' if falseIsBlank else 'false') - - ################################################################################################### class Installer(object): # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - def __init__(self, debug=False, configOnly=False): + def __init__(self, orchMode, debug=False, configOnly=False): + self.orchMode = orchMode self.debug = debug self.configOnly = configOnly @@ -175,7 +221,7 @@ def __init__(self, debug=False, configOnly=False): self.requiredPackages = [] self.pipCmd = 'pip3' - if not Which(self.pipCmd, debug=self.debug): + if not which(self.pipCmd, debug=self.debug): self.pipCmd = 'pip' self.tempDirName = tempfile.mkdtemp() @@ -242,18 +288,21 @@ def install_required_packages(self): # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ def install_docker_images(self, docker_image_file): result = False - if ( - docker_image_file - and os.path.isfile(docker_image_file) - and InstallerYesOrNo( - f'Load Malcolm Docker images from {docker_image_file}', default=True, forceInteraction=True - ) - ): - ecode, out = self.run_process(['docker', 'load', '-q', '-i', docker_image_file], privileged=True) - if ecode == 0: - result = True - else: - eprint(f"Loading Malcolm Docker images failed: {out}") + + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + if ( + docker_image_file + and os.path.isfile(docker_image_file) + and InstallerYesOrNo( + f'Load Malcolm Docker images from {docker_image_file}', default=True, forceInteraction=True + ) + ): + ecode, out = self.run_process(['docker', 'load', '-q', '-i', docker_image_file], privileged=True) + if ecode == 0: + result = True + else: + eprint(f"Loading Malcolm Docker images failed: {out}") + return result # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -280,7 +329,7 @@ def install_malcolm_files(self, malcolm_install_file): else: try: os.makedirs(installPath) - except: + except Exception: pass if os.path.isdir(installPath): break @@ -330,15 +379,30 @@ def tweak_malcolm_runtime( restart_mode_default=False, ): global args + global dotenv_imported + + configFiles = [] - if not args.configFile: - # get a list of all of the docker-compose files - composeFiles = glob.glob(os.path.join(malcolm_install_path, 'docker-compose*.yml')) + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # determine docker-compose files + if not args.configFile: + # get a list of all of the docker-compose files + configFiles = glob.glob(os.path.join(malcolm_install_path, 'docker-compose*.yml')) - elif os.path.isfile(args.configFile): - # single docker-compose file explicitly specified - composeFiles = [os.path.realpath(args.configFile)] - malcolm_install_path = os.path.dirname(composeFiles[0]) + elif os.path.isfile(args.configFile): + # single docker-compose file explicitly specified + configFiles = [os.path.realpath(args.configFile)] + malcolm_install_path = os.path.dirname(configFiles[0]) + + elif self.orchMode is OrchestrationFramework.KUBERNETES: + if args.configFile and os.path.isfile(args.configFile): + configFiles = [os.path.realpath(args.configFile)] + malcolm_install_path = os.path.realpath(os.path.join(ScriptPath, "..")) + else: + raise Exception(f"{self.orchMode} requires specifying kubeconfig file via -f/--config-file") + + if (not args.configDir) or (not os.path.isdir(args.configDir)): + raise Exception("Could not determine configuration directory containing Malcolm's .env files") # figure out what UID/GID to run non-rood processes under docker as puid = '1000' @@ -349,7 +413,7 @@ def tweak_malcolm_runtime( pgid = str(os.getgid()) if (puid == '0') or (pgid == '0'): raise Exception('it is preferrable not to run Malcolm as root, prompting for UID/GID instead') - except: + except Exception: puid = '1000' pgid = '1000' @@ -365,34 +429,40 @@ def tweak_malcolm_runtime( puid = InstallerAskForString('Enter user ID (UID) for running non-root Malcolm processes') pgid = InstallerAskForString('Enter group ID (GID) for running non-root Malcolm processes') - # guestimate how much memory we should use based on total system memory + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # guestimate how much memory we should use based on total system memory - if self.debug: - eprint(f"{malcolm_install_path} contains {composeFiles}, system memory is {self.totalMemoryGigs} GiB") + if self.debug: + eprint( + f'{malcolm_install_path} with "{configFiles}" and "{args.configDir}", system memory is {self.totalMemoryGigs} GiB' + ) - if self.totalMemoryGigs >= 63.0: - osMemory = '30g' - lsMemory = '6g' - elif self.totalMemoryGigs >= 31.0: - osMemory = '16g' - lsMemory = '3g' - elif self.totalMemoryGigs >= 15.0: - osMemory = '10g' - lsMemory = '2500m' - elif self.totalMemoryGigs >= 11.0: - osMemory = '6g' - lsMemory = '2500m' - elif self.totalMemoryGigs >= 7.0: - eprint(f"Detected only {self.totalMemoryGigs} GiB of memory; performance will be suboptimal") - osMemory = '4g' - lsMemory = '2500m' - elif self.totalMemoryGigs > 0.0: - eprint(f"Detected only {self.totalMemoryGigs} GiB of memory; performance will be suboptimal") - osMemory = '3500m' - lsMemory = '2g' + if self.totalMemoryGigs >= 63.0: + osMemory = '30g' + lsMemory = '6g' + elif self.totalMemoryGigs >= 31.0: + osMemory = '16g' + lsMemory = '3g' + elif self.totalMemoryGigs >= 15.0: + osMemory = '10g' + lsMemory = '2500m' + elif self.totalMemoryGigs >= 11.0: + osMemory = '6g' + lsMemory = '2500m' + elif self.totalMemoryGigs >= 7.0: + eprint(f"Detected only {self.totalMemoryGigs} GiB of memory; performance will be suboptimal") + osMemory = '4g' + lsMemory = '2500m' + elif self.totalMemoryGigs > 0.0: + eprint(f"Detected only {self.totalMemoryGigs} GiB of memory; performance will be suboptimal") + osMemory = '3500m' + lsMemory = '2g' + else: + eprint("Failed to determine system memory size, using defaults; performance may be suboptimal") + osMemory = '8g' + lsMemory = '3g' else: - eprint("Failed to determine system memory size, using defaults; performance may be suboptimal") - osMemory = '8g' + osMemory = '16g' lsMemory = '3g' # see Tuning and Profiling Logstash Performance @@ -400,12 +470,15 @@ def tweak_malcolm_runtime( # - https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html # - https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html # we don't want it too high, as in Malcolm Logstash also competes with OpenSearch, etc. for resources - if self.totalCores > 16: - lsWorkers = 10 - elif self.totalCores >= 12: - lsWorkers = 6 + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + if self.totalCores > 16: + lsWorkers = 10 + elif self.totalCores >= 12: + lsWorkers = 6 + else: + lsWorkers = 3 else: - lsWorkers = 3 + lsWorkers = 6 opensearchPrimaryRemote = False opensearchPrimaryUrl = 'http://opensearch:9200' @@ -413,6 +486,7 @@ def tweak_malcolm_runtime( opensearchSecondaryRemote = False opensearchSecondaryUrl = '' opensearchSecondarySslVerify = False + indexSnapshotCompressed = False opensearchPrimaryRemote = not InstallerYesOrNo( 'Should Malcolm use and maintain its own OpenSearch instance?', @@ -428,6 +502,7 @@ def tweak_malcolm_runtime( 'Require SSL certificate validation for communication with primary OpenSearch instance?', default=False, ) + indexSnapshotCompressed = InstallerYesOrNo('Compress OpenSearch index snapshots?', default=False) opensearchSecondaryRemote = InstallerYesOrNo( 'Forward Logstash logs to a secondary remote OpenSearch instance?', @@ -462,7 +537,9 @@ def tweak_malcolm_runtime( restartMode = None allowedRestartModes = ('no', 'on-failure', 'always', 'unless-stopped') - if InstallerYesOrNo('Restart Malcolm upon system or Docker daemon restart?', default=restart_mode_default): + if (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) and InstallerYesOrNo( + 'Restart Malcolm upon system or Docker daemon restart?', default=restart_mode_default + ): while restartMode not in allowedRestartModes: restartMode = InstallerChooseOne( 'Select Malcolm restart behavior', @@ -485,45 +562,55 @@ def tweak_malcolm_runtime( traefikEntrypoint = "" traefikResolver = "" - behindReverseProxy = InstallerYesOrNo( + behindReverseProxy = (self.orchMode is OrchestrationFramework.KUBERNETES) or InstallerYesOrNo( 'Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)?', default=(not nginxSSL) ) - if behindReverseProxy: - traefikLabels = InstallerYesOrNo('Configure labels for Traefik?', default=False) - if traefikLabels: - while len(traefikHost) <= 1: - traefikHost = InstallerAskForString( - 'Enter request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)' - ) - while (len(traefikOpenSearchHost) <= 1) or (traefikOpenSearchHost == traefikHost): - traefikOpenSearchHost = InstallerAskForString( - f'Enter request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.{traefikHost})' - ) - while len(traefikEntrypoint) <= 1: - traefikEntrypoint = InstallerAskForString( - 'Enter Traefik router entrypoint (e.g., websecure)', default="websecure" - ) - while len(traefikResolver) <= 1: - traefikResolver = InstallerAskForString( - 'Enter Traefik router resolver (e.g., myresolver)', default="myresolver" - ) + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + if behindReverseProxy: + traefikLabels = InstallerYesOrNo('Configure labels for Traefik?', default=False) + if traefikLabels: + while len(traefikHost) <= 1: + traefikHost = InstallerAskForString( + 'Enter request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)' + ) + while (len(traefikOpenSearchHost) <= 1) or (traefikOpenSearchHost == traefikHost): + traefikOpenSearchHost = InstallerAskForString( + f'Enter request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.{traefikHost})' + ) + while len(traefikEntrypoint) <= 1: + traefikEntrypoint = InstallerAskForString( + 'Enter Traefik router entrypoint (e.g., websecure)', default="websecure" + ) + while len(traefikResolver) <= 1: + traefikResolver = InstallerAskForString( + 'Enter Traefik router resolver (e.g., myresolver)', default="myresolver" + ) - dockerNetworkExternalName = InstallerAskForString( - 'Specify external Docker network name (or leave blank for default networking)', default="" - ) + dockerNetworkExternalName = InstallerAskForString( + 'Specify external Docker network name (or leave blank for default networking)', default="" + ) + + allowedAuthModes = { + 'Basic': 'true', + 'Lightweight Directory Access Protocol (LDAP)': 'false', + 'None': 'no_authentication', + } + authMode = None + while authMode not in list(allowedAuthModes.keys()): + authMode = InstallerChooseOne( + 'Select authentication method', + choices=[(x, '', x == 'Basic') for x in list(allowedAuthModes.keys())], + ) ldapStartTLS = False ldapServerType = 'winldap' - useBasicAuth = not InstallerYesOrNo( - 'Authenticate against Lightweight Directory Access Protocol (LDAP) server?', default=False - ) - if not useBasicAuth: + if 'ldap' in authMode.lower(): allowedLdapModes = ('winldap', 'openldap') ldapServerType = None while ldapServerType not in allowedLdapModes: ldapServerType = InstallerChooseOne( - f'Select LDAP server compatibility type', + 'Select LDAP server compatibility type', choices=[(x, '', x == 'winldap') for x in allowedLdapModes], ) ldapStartTLS = InstallerYesOrNo( @@ -535,11 +622,11 @@ def tweak_malcolm_runtime( ) as ldapDefaultsFile: print(f"LDAP_SERVER_TYPE='{ldapServerType}'", file=ldapDefaultsFile) print( - f"LDAP_PROTO='{'ldap://' if useBasicAuth or ldapStartTLS else 'ldaps://'}'", + f"LDAP_PROTO='{'ldap://' if ldapStartTLS else 'ldaps://'}'", file=ldapDefaultsFile, ) print(f"LDAP_PORT='{3268 if ldapStartTLS else 3269}'", file=ldapDefaultsFile) - except: + except Exception: pass # directories for data volume mounts (PCAP storage, Zeek log storage, OpenSearch indexes, etc.) @@ -564,121 +651,120 @@ def tweak_malcolm_runtime( zeekLogDirDefault = os.path.join(malcolm_install_path, zeekLogDir) zeekLogDirFull = os.path.realpath(zeekLogDirDefault) - if not InstallerYesOrNo( - 'Store PCAP, log and index files locally under {}?'.format(malcolm_install_path), - default=True, - ): - # PCAP directory - if not InstallerYesOrNo( - 'Store PCAP files locally in {}?'.format(pcapDirDefault), - default=True, - ): - while True: - pcapDir = InstallerAskForString('Enter PCAP directory') - if (len(pcapDir) > 1) and os.path.isdir(pcapDir): - pcapDirFull = os.path.realpath(pcapDir) - pcapDir = ( - f"./{os.path.relpath(pcapDirDefault, malcolm_install_path)}" - if same_file_or_dir(pcapDirDefault, pcapDirFull) - else pcapDirFull - ) - break - - # Zeek log directory + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: if not InstallerYesOrNo( - 'Store Zeek logs locally in {}?'.format(zeekLogDirDefault), + 'Store PCAP, log and index files locally under {}?'.format(malcolm_install_path), default=True, ): - while True: - zeekLogDir = InstallerAskForString('Enter Zeek log directory') - if (len(zeekLogDir) > 1) and os.path.isdir(zeekLogDir): - zeekLogDirFull = os.path.realpath(zeekLogDir) - zeekLogDir = ( - f"./{os.path.relpath(zeekLogDirDefault, malcolm_install_path)}" - if same_file_or_dir(zeekLogDirDefault, zeekLogDirFull) - else zeekLogDirFull - ) - break - - # Suricata log directory - if not InstallerYesOrNo( - 'Store Suricata logs locally in {}?'.format(suricataLogDirDefault), - default=True, - ): - while True: - suricataLogDir = InstallerAskForString('Enter Suricata log directory') - if (len(suricataLogDir) > 1) and os.path.isdir(suricataLogDir): - suricataLogDirFull = os.path.realpath(suricataLogDir) - suricataLogDir = ( - f"./{os.path.relpath(suricataLogDirDefault, malcolm_install_path)}" - if same_file_or_dir(suricataLogDirDefault, suricataLogDirFull) - else suricataLogDirFull - ) - break - - if not opensearchPrimaryRemote: - # opensearch index directory + # PCAP directory if not InstallerYesOrNo( - 'Store OpenSearch indices locally in {}?'.format(indexDirDefault), + 'Store PCAP files locally in {}?'.format(pcapDirDefault), default=True, ): while True: - indexDir = InstallerAskForString('Enter OpenSearch index directory') - if (len(indexDir) > 1) and os.path.isdir(indexDir): - indexDirFull = os.path.realpath(indexDir) - indexDir = ( - f"./{os.path.relpath(indexDirDefault, malcolm_install_path)}" - if same_file_or_dir(indexDirDefault, indexDirFull) - else indexDirFull + pcapDir = InstallerAskForString('Enter PCAP directory') + if (len(pcapDir) > 1) and os.path.isdir(pcapDir): + pcapDirFull = os.path.realpath(pcapDir) + pcapDir = ( + f"./{os.path.relpath(pcapDirDefault, malcolm_install_path)}" + if same_file_or_dir(pcapDirDefault, pcapDirFull) + else pcapDirFull ) break - # opensearch snapshot repository directory and compression + # Zeek log directory if not InstallerYesOrNo( - 'Store OpenSearch index snapshots locally in {}?'.format(indexSnapshotDirDefault), + 'Store Zeek logs locally in {}?'.format(zeekLogDirDefault), default=True, ): while True: - indexSnapshotDir = InstallerAskForString('Enter OpenSearch index snapshot directory') - if (len(indexSnapshotDir) > 1) and os.path.isdir(indexSnapshotDir): - indexSnapshotDirFull = os.path.realpath(indexSnapshotDir) - indexSnapshotDir = ( - f"./{os.path.relpath(indexSnapshotDirDefault, malcolm_install_path)}" - if same_file_or_dir(indexSnapshotDirDefault, indexSnapshotDirFull) - else indexSnapshotDirFull + zeekLogDir = InstallerAskForString('Enter Zeek log directory') + if (len(zeekLogDir) > 1) and os.path.isdir(zeekLogDir): + zeekLogDirFull = os.path.realpath(zeekLogDir) + zeekLogDir = ( + f"./{os.path.relpath(zeekLogDirDefault, malcolm_install_path)}" + if same_file_or_dir(zeekLogDirDefault, zeekLogDirFull) + else zeekLogDirFull ) break - # make sure paths specified (and their necessary children) exist - for pathToCreate in ( - indexDirFull, - indexSnapshotDirFull, - os.path.join(pcapDirFull, 'processed'), - os.path.join(pcapDirFull, 'upload'), - os.path.join(suricataLogDirFull, 'live'), - os.path.join(zeekLogDirFull, 'current'), - os.path.join(zeekLogDirFull, 'live'), - os.path.join(zeekLogDirFull, 'upload'), - os.path.join(zeekLogDirFull, os.path.join('extract_files', 'preserved')), - os.path.join(zeekLogDirFull, os.path.join('extract_files', 'quarantine')), - ): - try: - if args.debug: - eprint(f"Creating {pathToCreate}") - pathlib.Path(pathToCreate).mkdir(parents=True, exist_ok=True) - if ( - ((self.platform == PLATFORM_LINUX) or (self.platform == PLATFORM_MAC)) - and (self.scriptUser == "root") - and (getpwuid(os.stat(pathToCreate).st_uid).pw_name == self.scriptUser) + # Suricata log directory + if not InstallerYesOrNo( + 'Store Suricata logs locally in {}?'.format(suricataLogDirDefault), + default=True, ): - if args.debug: - eprint(f"Setting permissions of {pathToCreate} to {puid}:{pgid}") - # change ownership of newly-created directory to match puid/pgid - os.chown(pathToCreate, int(puid), int(pgid)) - except Exception as e: - eprint(f"Creating {pathToCreate} failed: {e}") + while True: + suricataLogDir = InstallerAskForString('Enter Suricata log directory') + if (len(suricataLogDir) > 1) and os.path.isdir(suricataLogDir): + suricataLogDirFull = os.path.realpath(suricataLogDir) + suricataLogDir = ( + f"./{os.path.relpath(suricataLogDirDefault, malcolm_install_path)}" + if same_file_or_dir(suricataLogDirDefault, suricataLogDirFull) + else suricataLogDirFull + ) + break - indexSnapshotCompressed = InstallerYesOrNo('Compress OpenSearch index snapshots?', default=False) + if not opensearchPrimaryRemote: + # opensearch index directory + if not InstallerYesOrNo( + 'Store OpenSearch indices locally in {}?'.format(indexDirDefault), + default=True, + ): + while True: + indexDir = InstallerAskForString('Enter OpenSearch index directory') + if (len(indexDir) > 1) and os.path.isdir(indexDir): + indexDirFull = os.path.realpath(indexDir) + indexDir = ( + f"./{os.path.relpath(indexDirDefault, malcolm_install_path)}" + if same_file_or_dir(indexDirDefault, indexDirFull) + else indexDirFull + ) + break + + # opensearch snapshot repository directory and compression + if not InstallerYesOrNo( + 'Store OpenSearch index snapshots locally in {}?'.format(indexSnapshotDirDefault), + default=True, + ): + while True: + indexSnapshotDir = InstallerAskForString('Enter OpenSearch index snapshot directory') + if (len(indexSnapshotDir) > 1) and os.path.isdir(indexSnapshotDir): + indexSnapshotDirFull = os.path.realpath(indexSnapshotDir) + indexSnapshotDir = ( + f"./{os.path.relpath(indexSnapshotDirDefault, malcolm_install_path)}" + if same_file_or_dir(indexSnapshotDirDefault, indexSnapshotDirFull) + else indexSnapshotDirFull + ) + break + + # make sure paths specified (and their necessary children) exist + for pathToCreate in ( + indexDirFull, + indexSnapshotDirFull, + os.path.join(pcapDirFull, 'processed'), + os.path.join(pcapDirFull, 'upload'), + os.path.join(suricataLogDirFull, 'live'), + os.path.join(zeekLogDirFull, 'current'), + os.path.join(zeekLogDirFull, 'live'), + os.path.join(zeekLogDirFull, 'upload'), + os.path.join(zeekLogDirFull, os.path.join('extract_files', 'preserved')), + os.path.join(zeekLogDirFull, os.path.join('extract_files', 'quarantine')), + ): + try: + if args.debug: + eprint(f"Creating {pathToCreate}") + pathlib.Path(pathToCreate).mkdir(parents=True, exist_ok=True) + if ( + ((self.platform == PLATFORM_LINUX) or (self.platform == PLATFORM_MAC)) + and (self.scriptUser == "root") + and (getpwuid(os.stat(pathToCreate).st_uid).pw_name == self.scriptUser) + ): + if args.debug: + eprint(f"Setting permissions of {pathToCreate} to {puid}:{pgid}") + # change ownership of newly-created directory to match puid/pgid + os.chown(pathToCreate, int(puid), int(pgid)) + except Exception as e: + eprint(f"Creating {pathToCreate} failed: {e}") # delete oldest indexes based on index pattern size indexPruneSizeLimit = '0' @@ -694,28 +780,47 @@ def tweak_malcolm_runtime( 'Determine oldest indices by name (instead of creation time)?', default=True ) + # let Arkime delete old PCAP files based on available storage + arkimeManagePCAP = InstallerYesOrNo( + 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', + default=False, + ) + autoSuricata = InstallerYesOrNo('Automatically analyze all PCAP files with Suricata?', default=True) suricataRuleUpdate = autoSuricata and InstallerYesOrNo( 'Download updated Suricata signatures periodically?', default=False ) autoZeek = InstallerYesOrNo('Automatically analyze all PCAP files with Zeek?', default=True) + zeekICSBestGuess = autoZeek and InstallerYesOrNo( + 'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', default=False + ) reverseDns = InstallerYesOrNo( 'Perform reverse DNS lookup locally for source and destination IP addresses in logs?', default=False ) autoOui = InstallerYesOrNo('Perform hardware vendor OUI lookups for MAC addresses?', default=True) autoFreq = InstallerYesOrNo('Perform string randomness scoring on some fields?', default=True) - opensearchOpen = (not opensearchPrimaryRemote) and InstallerYesOrNo( - 'Expose OpenSearch port to external hosts?', default=expose_opensearch_default - ) - logstashOpen = InstallerYesOrNo('Expose Logstash port to external hosts?', default=expose_logstash_default) - filebeatTcpOpen = InstallerYesOrNo( - 'Expose Filebeat TCP port to external hosts?', default=expose_filebeat_default - ) - filebeatTcpSourceField = '' - filebeatTcpTargetField = '' - filebeatTcpDropField = '' + + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + opensearchOpen = (not opensearchPrimaryRemote) and InstallerYesOrNo( + 'Expose OpenSearch port to external hosts?', default=expose_opensearch_default + ) + logstashOpen = InstallerYesOrNo('Expose Logstash port to external hosts?', default=expose_logstash_default) + filebeatTcpOpen = InstallerYesOrNo( + 'Expose Filebeat TCP port to external hosts?', default=expose_filebeat_default + ) + else: + opensearchOpen = not opensearchPrimaryRemote + logstashOpen = True + filebeatTcpOpen = True + + filebeatTcpFormat = 'json' + filebeatTcpSourceField = 'message' + filebeatTcpTargetField = 'miscbeat' + filebeatTcpDropField = filebeatTcpSourceField filebeatTcpTag = '_malcolm_beats' - if filebeatTcpOpen: + if filebeatTcpOpen and not InstallerYesOrNo( + 'Use default field values for Filebeat TCP listener?', default=True + ): allowedFilebeatTcpFormats = ('json', 'raw') filebeatTcpFormat = 'unset' while filebeatTcpFormat not in allowedFilebeatTcpFormats: @@ -726,24 +831,22 @@ def tweak_malcolm_runtime( if filebeatTcpFormat == 'json': filebeatTcpSourceField = InstallerAskForString( 'Source field to parse for messages sent to Filebeat TCP listener', - default="message", + default=filebeatTcpSourceField, ) filebeatTcpTargetField = InstallerAskForString( 'Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener', - default="miscbeat", + default=filebeatTcpTargetField, ) filebeatTcpDropField = InstallerAskForString( - f'Field to drop from events sent to Filebeat TCP listener', + 'Field to drop from events sent to Filebeat TCP listener', default=filebeatTcpSourceField, ) filebeatTcpTag = InstallerAskForString( - f'Tag to apply to messages sent to Filebeat TCP listener', + 'Tag to apply to messages sent to Filebeat TCP listener', default=filebeatTcpTag, ) - else: - filebeatTcpFormat = 'raw' - sftpOpen = InstallerYesOrNo( + sftpOpen = (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) and InstallerYesOrNo( 'Expose SFTP server (for PCAP upload) to external hosts?', default=expose_sftp_default ) @@ -751,7 +854,6 @@ def tweak_malcolm_runtime( allowedFileCarveModes = ('none', 'known', 'mapped', 'all', 'interesting') allowedFilePreserveModes = ('quarantined', 'all', 'none') - fileCarveModeUser = None fileCarveMode = None filePreserveMode = None vtotApiKey = '0' @@ -825,29 +927,22 @@ def tweak_malcolm_runtime( pcapNetSniff = False pcapTcpDump = False liveZeek = False - zeekICSBestGuess = False liveSuricata = False pcapIface = 'lo' tweakIface = False pcapFilter = '' - arkimeManagePCAP = False - - if InstallerYesOrNo( - 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', default=False - ): - pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=True) - pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=(not pcapNetSniff)) - arkimeManagePCAP = InstallerYesOrNo( - 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', - default=False, - ) - liveSuricata = InstallerYesOrNo('Should Malcolm analyze live network traffic with Suricata?', default=False) - liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=False) - - zeekICSBestGuess = (autoZeek or liveZeek) and InstallerYesOrNo( - 'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', default=False - ) + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + if InstallerYesOrNo( + 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', default=False + ): + pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=True) + if not pcapNetSniff: + pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=True) + liveSuricata = InstallerYesOrNo( + 'Should Malcolm analyze live network traffic with Suricata?', default=False + ) + liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=False) if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata: pcapIface = '' @@ -862,731 +957,794 @@ def tweak_malcolm_runtime( dashboardsDarkMode = InstallerYesOrNo('Enable dark mode for OpenSearch Dashboards?', default=True) - # modify specified values in-place in docker-compose files - for composeFile in composeFiles: - # save off owner of original files - composeFileStat = os.stat(composeFile) - origUid, origGuid = composeFileStat[4], composeFileStat[5] - composeFileHandle = fileinput.FileInput(composeFile, inplace=True, backup=None) - try: - sectionIndents = defaultdict(lambda: ' ') - currentSection = None - currentService = None - networkWritten = False - - for line in composeFileHandle: - line = line.rstrip("\n") - skipLine = False - sectionStartLine = False - serviceStartLine = False - - # it would be cleaner to use something like PyYAML to do this, but I want to have as few dependencies - # as possible so we're going to do it janky instead. Also, as of right now pyyaml doesn't preserve - # comments, which is a big deal for this complicated docker-compose file. There is - # https://pypi.org/project/ruamel.yaml to possibly consider if we're comfortable with the dependency. - - # determine which section of the compose file we are in (e.g., services, networks, volumes, etc.) - sectionMatch = re.match(r'^([^\s#]+):\s*(#.*)?$', line) - if sectionMatch is not None: - currentSection = sectionMatch.group(1) - sectionStartLine = True - currentService = None - - # determine indentation for each compose file section (assumes YML file is consistently indented) - if (currentSection is not None) and (not currentSection in sectionIndents): - indentMatch = re.search(r'^(\s+)\S+\s*:\s*$', line) - if indentMatch is not None: - sectionIndents[currentSection] = indentMatch.group(1) - - # determine which service we're currently processing in the YML file - if currentSection == 'services': - serviceMatch = re.search(fr'^{sectionIndents[currentSection]}(\S+)\s*:\s*$', line) - if serviceMatch is not None: - currentService = serviceMatch.group(1).lower() - serviceStartLine = True - - if currentSection is None: - # variables defined in the sections at the top of the compose file - - if 'PUID' in line: - # process UID - line = re.sub(r'(PUID\s*:\s*)(\S+)', fr"\g<1>{puid}", line) - - elif 'PGID' in line: - # process GID - line = re.sub(r'(PGID\s*:\s*)(\S+)', fr"\g<1>{pgid}", line) - - elif 'PCAP_NODE_NAME' in line: - # capture source "node name" for locally processed PCAP files - line = re.sub(r'(PCAP_NODE_NAME\s*:\s*)(\S+)', fr"\g<1>'{HostName}'", line) - - elif 'NGINX_SSL' in line: - # HTTPS (nginxSSL=True) vs unencrypted HTTP (nginxSSL=False) - line = re.sub(r'(NGINX_SSL\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(nginxSSL)}", line) - - elif 'NGINX_BASIC_AUTH' in line: - # basic (useBasicAuth=True) vs ldap (useBasicAuth=False) - line = re.sub( - r'(NGINX_BASIC_AUTH\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(useBasicAuth)}", line - ) - - elif 'NGINX_LDAP_TLS_STUNNEL' in line: - # StartTLS vs. ldap:// or ldaps:// - line = re.sub( - r'(NGINX_LDAP_TLS_STUNNEL\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(((not useBasicAuth) and ldapStartTLS))}", - line, - ) - - elif 'ZEEK_EXTRACTOR_MODE' in line: - # zeek file extraction mode - line = re.sub(r'(ZEEK_EXTRACTOR_MODE\s*:\s*)(\S+)', fr"\g<1>'{fileCarveMode}'", line) - - elif 'ZEEK_DISABLE_BEST_GUESS_ICS' in line: - # disable/enable ICS best guess - line = re.sub( - r'(ZEEK_DISABLE_BEST_GUESS_ICS\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(not zeekICSBestGuess, falseIsBlank=True)}", - line, - ) - - elif 'EXTRACTED_FILE_PRESERVATION' in line: - # zeek file preservation mode - line = re.sub( - r'(EXTRACTED_FILE_PRESERVATION\s*:\s*)(\S+)', fr"\g<1>'{filePreserveMode}'", line - ) - - elif 'EXTRACTED_FILE_HTTP_SERVER_ENABLE' in line: - # HTTP server for extracted files - line = re.sub( - r'(EXTRACTED_FILE_HTTP_SERVER_ENABLE\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(fileCarveHttpServer)}", - line, - ) - - elif 'EXTRACTED_FILE_HTTP_SERVER_ENCRYPT' in line: - # encrypt HTTP server for extracted files - line = re.sub( - r'(EXTRACTED_FILE_HTTP_SERVER_ENCRYPT\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(fileCarveHttpServer and (len(fileCarveHttpServeEncryptKey) > 0))}", - line, - ) - - elif 'EXTRACTED_FILE_HTTP_SERVER_KEY' in line: - # key for encrypted HTTP-served extracted files (' -> '' for escaping in YAML) - fileCarveHttpServeEncryptKeyEscaped = fileCarveHttpServeEncryptKey.replace("'", "''") - line = re.sub( - r'(EXTRACTED_FILE_HTTP_SERVER_KEY\s*:\s*)(\S+)', - fr"\g<1>'{fileCarveHttpServeEncryptKeyEscaped}'", - line, - ) - - elif 'VTOT_API2_KEY' in line: - # virustotal API key - line = re.sub(r'(VTOT_API2_KEY\s*:\s*)(\S+)', fr"\g<1>'{vtotApiKey}'", line) - - elif 'EXTRACTED_FILE_ENABLE_YARA' in line: - # file scanning via yara - line = re.sub( - r'(EXTRACTED_FILE_ENABLE_YARA\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(yaraScan)}", line - ) - - elif 'EXTRACTED_FILE_ENABLE_CAPA' in line: - # PE file scanning via capa - line = re.sub( - r'(EXTRACTED_FILE_ENABLE_CAPA\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(capaScan)}", line - ) - - elif 'EXTRACTED_FILE_ENABLE_CLAMAV' in line: - # file scanning via clamav - line = re.sub( - r'(EXTRACTED_FILE_ENABLE_CLAMAV\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(clamAvScan)}", - line, - ) - - elif 'EXTRACTED_FILE_UPDATE_RULES' in line: - # rule updates (yara/capa via git, clamav via freshclam) - line = re.sub( - r'(EXTRACTED_FILE_UPDATE_RULES\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(fileScanRuleUpdate)}", - line, - ) - - elif 'SURICATA_UPDATE_RULES' in line: - # Suricata signature updates (via suricata-update) - line = re.sub( - r'(SURICATA_UPDATE_RULES\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(suricataRuleUpdate)}", - line, - ) - - elif 'PCAP_ENABLE_NETSNIFF' in line: - # capture pcaps via netsniff-ng - line = re.sub( - r'(PCAP_ENABLE_NETSNIFF\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(pcapNetSniff)}", line - ) - - elif 'PCAP_ENABLE_TCPDUMP' in line: - # capture pcaps via tcpdump - line = re.sub( - r'(PCAP_ENABLE_TCPDUMP\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(pcapTcpDump)}", line - ) - - elif 'MANAGE_PCAP_FILES' in line: - # Whether or not Arkime is allowed to delete uploaded/captured PCAP - line = re.sub( - r'(MANAGE_PCAP_FILES\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(arkimeManagePCAP)}", line - ) - - elif 'ZEEK_LIVE_CAPTURE' in line: - # live traffic analysis with Zeek - line = re.sub( - r'(ZEEK_LIVE_CAPTURE\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(liveZeek)}", line - ) - - elif 'ZEEK_ROTATED_PCAP' in line: - # rotated captured PCAP analysis with Zeek (not live capture) - line = re.sub( - r'(ZEEK_ROTATED_PCAP\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(autoZeek and (not liveZeek))}", - line, - ) - - elif 'SURICATA_LIVE_CAPTURE' in line: - # live traffic analysis with Suricata - line = re.sub( - r'(SURICATA_LIVE_CAPTURE\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(liveSuricata)}", line - ) - - elif 'SURICATA_ROTATED_PCAP' in line: - # rotated captured PCAP analysis with Suricata (not live capture) - line = re.sub( - r'(SURICATA_ROTATED_PCAP\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(autoSuricata and (not liveSuricata))}", - line, - ) - - elif 'PCAP_IFACE_TWEAK' in line: - # disable NIC hardware offloading features and adjust ring buffers - line = re.sub( - r'(PCAP_IFACE_TWEAK\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(tweakIface)}", line - ) - - elif 'PCAP_IFACE' in line: - # capture interface(s) - line = re.sub(r'(PCAP_IFACE\s*:\s*)(\S+)', fr"\g<1>'{pcapIface}'", line) - - elif 'PCAP_FILTER' in line: - # capture filter - line = re.sub(r'(PCAP_FILTER\s*:)(.*)', fr"\g<1> '{pcapFilter}'", line) - - elif 'ZEEK_AUTO_ANALYZE_PCAP_FILES' in line: - # automatic uploaded pcap analysis with Zeek - line = re.sub( - r'(ZEEK_AUTO_ANALYZE_PCAP_FILES\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(autoZeek)}", - line, - ) - - elif 'SURICATA_AUTO_ANALYZE_PCAP_FILES' in line: - # automatic uploaded pcap analysis with suricata - line = re.sub( - r'(SURICATA_AUTO_ANALYZE_PCAP_FILES\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(autoSuricata)}", - line, - ) - - elif 'LOGSTASH_REVERSE_DNS' in line: - # automatic local reverse dns lookup - line = re.sub( - r'(LOGSTASH_REVERSE_DNS\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(reverseDns)}", line - ) - - elif 'LOGSTASH_OUI_LOOKUP' in line: - # automatic MAC OUI lookup - line = re.sub( - r'(LOGSTASH_OUI_LOOKUP\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(autoOui)}", line - ) - - elif 'LOGSTASH_NETWORK_MAP_ENRICHMENT' in line: - # enrich network traffic metadata directly from net-map.json - line = re.sub( - r'(LOGSTASH_NETWORK_MAP_ENRICHMENT\s*:(\s*&\S+)?\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(not netboxLogstashEnrich)}", - line, - ) - - elif 'LOGSTASH_NETBOX_ENRICHMENT' in line: - # enrich network traffic metadata via NetBox API calls - line = re.sub( - r'(LOGSTASH_NETBOX_ENRICHMENT\s*:(\s*&\S+)?\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(netboxLogstashEnrich)}", - line, - ) - - elif 'NETBOX_DISABLED' in line: - # enable/disable netbox - line = re.sub( - r'(NETBOX_DISABLED\s*:(\s*&\S+)?\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(not netboxEnabled)}", - line, - ) - - elif 'NETBOX_DEFAULT_SITE' in line: - # NetBox default site name - line = re.sub( - r'(NETBOX_DEFAULT_SITE\s*:\s*)(\S+)', - fr"\g<1>'{netboxSiteName}'", - line, - ) - - elif 'pipeline.workers' in line: - # logstash pipeline workers - line = re.sub(r'(pipeline\.workers\s*:\s*)(\S+)', fr"\g<1>{lsWorkers}", line) - - elif 'DASHBOARDS_DARKMODE' in line: - # turn on dark mode, or not - line = re.sub( - r'(DASHBOARDS_DARKMODE\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(dashboardsDarkMode)}", - line, - ) - - elif 'FREQ_LOOKUP' in line: - # freq.py string randomness calculations - line = re.sub(r'(FREQ_LOOKUP\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(autoFreq)}", line) - - elif 'FILEBEAT_TCP_LISTEN' in line: - # expose a filebeat TCP input listener - line = re.sub( - r'(FILEBEAT_TCP_LISTEN\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(filebeatTcpOpen)}", - line, - ) - - elif 'FILEBEAT_TCP_LOG_FORMAT' in line: - # log format expected for events sent to the filebeat TCP input listener - line = re.sub( - r'(FILEBEAT_TCP_LOG_FORMAT\s*:\s*)(\S+)', fr"\g<1>'{filebeatTcpFormat}'", line - ) - - elif 'FILEBEAT_TCP_PARSE_SOURCE_FIELD' in line: - # source field name to parse for events sent to the filebeat TCP input listener - line = re.sub( - r'(FILEBEAT_TCP_PARSE_SOURCE_FIELD\s*:\s*)(\S+)', - fr"\g<1>'{filebeatTcpSourceField}'", - line, - ) - - elif 'FILEBEAT_TCP_PARSE_TARGET_FIELD' in line: - # target field name to store decoded JSON fields for events sent to the filebeat TCP input listener - line = re.sub( - r'(FILEBEAT_TCP_PARSE_TARGET_FIELD\s*:\s*)(\S+)', - fr"\g<1>'{filebeatTcpTargetField}'", - line, - ) - - elif 'FILEBEAT_TCP_PARSE_DROP_FIELD' in line: - # field to drop in events sent to the filebeat TCP input listener - line = re.sub( - r'(FILEBEAT_TCP_PARSE_DROP_FIELD\s*:\s*)(\S+)', fr"\g<1>'{filebeatTcpDropField}'", line - ) - - elif 'FILEBEAT_TCP_TAG' in line: - # tag to append to events sent to the filebeat TCP input listener - line = re.sub(r'(FILEBEAT_TCP_TAG\s*:\s*)(\S+)', fr"\g<1>'{filebeatTcpTag}'", line) - - elif 'OPENSEARCH_LOCAL' in line: - # OpenSearch primary instance is local vs. remote - line = re.sub( - r'(OPENSEARCH_LOCAL\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(not opensearchPrimaryRemote)}", - line, - ) - - elif 'OPENSEARCH_URL' in line: - # OpenSearch primary instance URL - line = re.sub(r'(OPENSEARCH_URL\s*:\s*)(\S+)', fr"\g<1>'{opensearchPrimaryUrl}'", line) - - elif 'OPENSEARCH_SSL_CERTIFICATE_VERIFICATION' in line: - # OpenSearch primary instance needs SSL verification - line = re.sub( - r'(OPENSEARCH_SSL_CERTIFICATE_VERIFICATION\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(opensearchPrimarySslVerify)}", - line, - ) - - elif 'OPENSEARCH_SECONDARY_URL' in line: - # OpenSearch secondary instance URL - line = re.sub( - r'(OPENSEARCH_SECONDARY_URL\s*:\s*)(\S+)', fr"\g<1>'{opensearchSecondaryUrl}'", line - ) - - elif 'OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION' in line: - # OpenSearch secondary instance needs SSL verification - line = re.sub( - r'(OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(opensearchSecondarySslVerify)}", - line, - ) - - elif 'OPENSEARCH_SECONDARY' in line: - # OpenSearch secondary remote instance is enabled - line = re.sub( - r'(OPENSEARCH_SECONDARY\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(opensearchSecondaryRemote)}", - line, - ) + # modify values in .env files in args.configDir - elif 'ISM_SNAPSHOT_COMPRESSED' in line: - # OpenSearch index state management snapshot compression - line = re.sub( - r'(ISM_SNAPSHOT_COMPRESSED\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(indexSnapshotCompressed)}", - line, - ) - - elif 'OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT' in line: - # delete based on index pattern size - line = re.sub( - r'(OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT\s*:\s*)(\S+)', - fr"\g<1>'{indexPruneSizeLimit}'", - line, - ) - - elif 'OPENSEARCH_INDEX_SIZE_PRUNE_NAME_SORT' in line: - # delete based on index pattern size (sorted by name vs. creation time) - line = re.sub( - r'(OPENSEARCH_INDEX_SIZE_PRUNE_NAME_SORT\s*:\s*)(\S+)', - fr"\g<1>{TrueOrFalseQuote(indexPruneNameSort)}", - line, - ) - - elif (currentSection == 'services') and (not serviceStartLine) and (currentService is not None): - # down in the individual services sections of the compose file - - if re.match(r'^\s*restart\s*:.*$', line): - # whether or not to restart services automatically (on boot, etc.) - line = f"{sectionIndents[currentSection] * 2}restart: {restartMode}" - - elif currentService == 'arkime': - # stuff specifically in the arkime section - if re.match(r'^\s*-.+:/data/pcap(:.+)?\s*$', line): - # Arkime's reference to the PCAP directory - line = ReplaceBindMountLocation( - line, - pcapDir, - sectionIndents[currentSection] * 3, - ) - - elif currentService == 'filebeat': - # stuff specifically in the filebeat section - if re.match(r'^[\s#]*-\s*"([\d\.]+:)?\d+:\d+"\s*$', line): - # set bind IP based on whether it should be externally exposed or not - line = re.sub( - r'^([\s#]*-\s*")([\d\.]+:)?(\d+:\d+"\s*)$', - fr"\g<1>{'0.0.0.0' if filebeatTcpOpen else '127.0.0.1'}:\g<3>", - line, - ) - - elif re.match(r'^\s*-.+:/suricata(:.+)?\s*$', line): - # filebeat's reference to the suricata-logs directory - line = ReplaceBindMountLocation( - line, - suricataLogDir, - sectionIndents[currentSection] * 3, - ) + # first, if the args.configDir is completely empty, then populate from defaults + defaultConfigDir = os.path.join(malcolm_install_path, 'config') + if ( + os.path.isdir(defaultConfigDir) + and (not same_file_or_dir(defaultConfigDir, args.configDir)) + and (not os.listdir(args.configDir)) + ): + for defaultEnvExampleFile in glob.glob(os.path.join(defaultConfigDir, '*.env.example')): + shutil.copy2(defaultEnvExampleFile, args.configDir) - elif re.match(r'^\s*-.+:/zeek(:.+)?\s*$', line): - # filebeat's reference to the zeek-logs directory - line = ReplaceBindMountLocation( - line, - zeekLogDir, - sectionIndents[currentSection] * 3, - ) + # if a specific config/*.env file doesn't exist, use the *.example.env files as defaults + for envExampleFile in glob.glob(os.path.join(args.configDir, '*.env.example')): + envFile = envExampleFile[: -len('.example')] + if not os.path.isfile(envFile): + shutil.copyfile(envExampleFile, envFile) - elif currentService == 'file-monitor': - # stuff specifically in the file-monitor section - if re.match(r'^\s*-.+:/zeek/extract_files(:.+)?\s*$', line): - # file-monitor's reference to the zeek-logs/extract_files directory - line = ReplaceBindMountLocation( - line, - os.path.join(zeekLogDir, 'extract_files'), - sectionIndents[currentSection] * 3, - ) + # change ownership of .envs file to match puid/pgid + if ( + ((self.platform == PLATFORM_LINUX) or (self.platform == PLATFORM_MAC)) + and (self.scriptUser == "root") + and (getpwuid(os.stat(args.configDir).st_uid).pw_name == self.scriptUser) + ): + if args.debug: + eprint(f"Setting permissions of {args.configDir} to {puid}:{pgid}") + os.chown(args.configDir, int(puid), int(pgid)) + envFiles = [] + for exts in ('*.env', '*.env.example'): + envFiles.extend(glob.glob(os.path.join(args.configDir, exts))) + for envFile in envFiles: + if ( + ((self.platform == PLATFORM_LINUX) or (self.platform == PLATFORM_MAC)) + and (self.scriptUser == "root") + and (getpwuid(os.stat(envFile).st_uid).pw_name == self.scriptUser) + ): + if args.debug: + eprint(f"Setting permissions of {envFile} to {puid}:{pgid}") + os.chown(envFile, int(puid), int(pgid)) + + # define environment variables to be set in .env files + EnvValue = namedtuple("EnvValue", ["envFile", "key", "value"], rename=False) + + EnvValues = [ + # Whether or not Arkime is allowed to delete uploaded/captured PCAP + EnvValue( + os.path.join(args.configDir, 'arkime.env'), + 'MANAGE_PCAP_FILES', + TrueOrFalseNoQuote(arkimeManagePCAP), + ), + # authentication method: basic (true), ldap (false) or no_authentication + EnvValue( + os.path.join(args.configDir, 'auth-common.env'), + 'NGINX_BASIC_AUTH', + allowedAuthModes.get(authMode, TrueOrFalseNoQuote(True)), + ), + # StartTLS vs. ldap:// or ldaps:// + EnvValue( + os.path.join(args.configDir, 'auth-common.env'), + 'NGINX_LDAP_TLS_STUNNEL', + TrueOrFalseNoQuote(('ldap' in authMode.lower()) and ldapStartTLS), + ), + # turn on dark mode, or not + EnvValue( + os.path.join(args.configDir, 'dashboards-helper.env'), + 'DASHBOARDS_DARKMODE', + TrueOrFalseNoQuote(dashboardsDarkMode), + ), + # OpenSearch index state management snapshot compression + EnvValue( + os.path.join(args.configDir, 'dashboards-helper.env'), + 'ISM_SNAPSHOT_COMPRESSED', + TrueOrFalseNoQuote(indexSnapshotCompressed), + ), + # delete based on index pattern size + EnvValue( + os.path.join(args.configDir, 'dashboards-helper.env'), + 'OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT', + indexPruneSizeLimit, + ), + # delete based on index pattern size (sorted by name vs. creation time) + EnvValue( + os.path.join(args.configDir, 'dashboards-helper.env'), + 'OPENSEARCH_INDEX_SIZE_PRUNE_NAME_SORT', + TrueOrFalseNoQuote(indexPruneNameSort), + ), + # expose a filebeat TCP input listener + EnvValue( + os.path.join(args.configDir, 'filebeat.env'), + 'FILEBEAT_TCP_LISTEN', + TrueOrFalseNoQuote(filebeatTcpOpen), + ), + # log format expected for events sent to the filebeat TCP input listener + EnvValue( + os.path.join(args.configDir, 'filebeat.env'), + 'FILEBEAT_TCP_LOG_FORMAT', + filebeatTcpFormat, + ), + # source field name to parse for events sent to the filebeat TCP input listener + EnvValue( + os.path.join(args.configDir, 'filebeat.env'), + 'FILEBEAT_TCP_PARSE_SOURCE_FIELD', + filebeatTcpSourceField, + ), + # target field name to store decoded JSON fields for events sent to the filebeat TCP input listener + EnvValue( + os.path.join(args.configDir, 'filebeat.env'), + 'FILEBEAT_TCP_PARSE_TARGET_FIELD', + filebeatTcpTargetField, + ), + # field to drop in events sent to the filebeat TCP input listener + EnvValue( + os.path.join(args.configDir, 'filebeat.env'), + 'FILEBEAT_TCP_PARSE_DROP_FIELD', + filebeatTcpDropField, + ), + # tag to append to events sent to the filebeat TCP input listener + EnvValue( + os.path.join(args.configDir, 'filebeat.env'), + 'FILEBEAT_TCP_TAG', + filebeatTcpTag, + ), + # logstash memory allowance + EnvValue( + os.path.join(args.configDir, 'logstash.env'), + 'LS_JAVA_OPTS', + re.sub(r'(-Xm[sx])(\w+)', fr'\g<1>{lsMemory}', LOGSTASH_JAVA_OPTS_DEFAULT), + ), + # automatic local reverse dns lookup + EnvValue( + os.path.join(args.configDir, 'logstash.env'), + 'LOGSTASH_REVERSE_DNS', + TrueOrFalseNoQuote(reverseDns), + ), + # automatic MAC OUI lookup + EnvValue( + os.path.join(args.configDir, 'logstash.env'), + 'LOGSTASH_OUI_LOOKUP', + TrueOrFalseNoQuote(autoOui), + ), + # enrich network traffic metadata via NetBox API calls + EnvValue( + os.path.join(args.configDir, 'logstash.env'), + 'LOGSTASH_NETBOX_ENRICHMENT', + TrueOrFalseNoQuote(netboxLogstashEnrich), + ), + # logstash pipeline workers + EnvValue( + os.path.join(args.configDir, 'logstash.env'), + 'pipeline.workers', + lsWorkers, + ), + # freq.py string randomness calculations + EnvValue( + os.path.join(args.configDir, 'lookup-common.env'), + 'FREQ_LOOKUP', + TrueOrFalseNoQuote(autoFreq), + ), + # NetBox default site name + EnvValue( + os.path.join(args.configDir, 'netbox-common.env'), + 'NETBOX_DEFAULT_SITE', + netboxSiteName, + ), + # enable/disable netbox + EnvValue( + os.path.join(args.configDir, 'netbox-common.env'), + 'NETBOX_DISABLED', + TrueOrFalseNoQuote(not netboxEnabled), + ), + # enable/disable netbox (postgres) + EnvValue( + os.path.join(args.configDir, 'netbox-common.env'), + 'NETBOX_POSTGRES_DISABLED', + TrueOrFalseNoQuote(not netboxEnabled), + ), + # enable/disable netbox (redis) + EnvValue( + os.path.join(args.configDir, 'netbox-common.env'), + 'NETBOX_REDIS_DISABLED', + TrueOrFalseNoQuote(not netboxEnabled), + ), + # enable/disable netbox (redis cache) + EnvValue( + os.path.join(args.configDir, 'netbox-common.env'), + 'NETBOX_REDIS_CACHE_DISABLED', + TrueOrFalseNoQuote(not netboxEnabled), + ), + # HTTPS (nginxSSL=True) vs unencrypted HTTP (nginxSSL=False) + EnvValue( + os.path.join(args.configDir, 'nginx.env'), + 'NGINX_SSL', + TrueOrFalseNoQuote(nginxSSL), + ), + # OpenSearch primary instance is local vs. remote + EnvValue( + os.path.join(args.configDir, 'opensearch.env'), + 'OPENSEARCH_LOCAL', + TrueOrFalseNoQuote(not opensearchPrimaryRemote), + ), + # OpenSearch primary instance URL + EnvValue( + os.path.join(args.configDir, 'opensearch.env'), + 'OPENSEARCH_URL', + opensearchPrimaryUrl, + ), + # OpenSearch primary instance needs SSL verification + EnvValue( + os.path.join(args.configDir, 'opensearch.env'), + 'OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', + TrueOrFalseNoQuote(opensearchPrimarySslVerify), + ), + # OpenSearch secondary instance URL + EnvValue( + os.path.join(args.configDir, 'opensearch.env'), + 'OPENSEARCH_SECONDARY_URL', + opensearchSecondaryUrl, + ), + # OpenSearch secondary instance needs SSL verification + EnvValue( + os.path.join(args.configDir, 'opensearch.env'), + 'OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION', + TrueOrFalseNoQuote(opensearchSecondarySslVerify), + ), + # OpenSearch secondary remote instance is enabled + EnvValue( + os.path.join(args.configDir, 'opensearch.env'), + 'OPENSEARCH_SECONDARY', + TrueOrFalseNoQuote(opensearchSecondaryRemote), + ), + # OpenSearch memory allowance + EnvValue( + os.path.join(args.configDir, 'opensearch.env'), + 'OPENSEARCH_JAVA_OPTS', + re.sub(r'(-Xm[sx])(\w+)', fr'\g<1>{osMemory}', OPENSEARCH_JAVA_OPTS_DEFAULT), + ), + # capture pcaps via netsniff-ng + EnvValue( + os.path.join(args.configDir, 'pcap-capture.env'), + 'PCAP_ENABLE_NETSNIFF', + TrueOrFalseNoQuote(pcapNetSniff), + ), + # capture pcaps via tcpdump + EnvValue( + os.path.join(args.configDir, 'pcap-capture.env'), + 'PCAP_ENABLE_TCPDUMP', + TrueOrFalseNoQuote(pcapTcpDump and (not pcapNetSniff)), + ), + # disable NIC hardware offloading features and adjust ring buffers + EnvValue( + os.path.join(args.configDir, 'pcap-capture.env'), + 'PCAP_IFACE_TWEAK', + TrueOrFalseNoQuote(tweakIface), + ), + # capture interface(s) + EnvValue( + os.path.join(args.configDir, 'pcap-capture.env'), + 'PCAP_IFACE', + pcapIface, + ), + # capture filter + EnvValue( + os.path.join(args.configDir, 'pcap-capture.env'), + 'PCAP_FILTER', + pcapFilter, + ), + # process UID + EnvValue( + os.path.join(args.configDir, 'process.env'), + 'PUID', + puid, + ), + # process GID + EnvValue( + os.path.join(args.configDir, 'process.env'), + 'PGID', + pgid, + ), + # Suricata signature updates (via suricata-update) + EnvValue( + os.path.join(args.configDir, 'suricata.env'), + 'SURICATA_UPDATE_RULES', + TrueOrFalseNoQuote(suricataRuleUpdate), + ), + # live traffic analysis with Suricata + EnvValue( + os.path.join(args.configDir, 'suricata-live.env'), + 'SURICATA_LIVE_CAPTURE', + TrueOrFalseNoQuote(liveSuricata), + ), + # rotated captured PCAP analysis with Suricata (not live capture) + EnvValue( + os.path.join(args.configDir, 'suricata-offline.env'), + 'SURICATA_ROTATED_PCAP', + TrueOrFalseNoQuote(autoSuricata and (not liveSuricata)), + ), + # automatic uploaded pcap analysis with suricata + EnvValue( + os.path.join(args.configDir, 'suricata-offline.env'), + 'SURICATA_AUTO_ANALYZE_PCAP_FILES', + TrueOrFalseNoQuote(autoSuricata), + ), + # capture source "node name" for locally processed PCAP files + EnvValue( + os.path.join(args.configDir, 'upload-common.env'), + 'PCAP_NODE_NAME', + HostName, + ), + # zeek file extraction mode + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'ZEEK_EXTRACTOR_MODE', + fileCarveMode, + ), + # zeek file preservation mode + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'EXTRACTED_FILE_PRESERVATION', + filePreserveMode, + ), + # HTTP server for extracted files + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'EXTRACTED_FILE_HTTP_SERVER_ENABLE', + TrueOrFalseNoQuote(fileCarveHttpServer), + ), + # encrypt HTTP server for extracted files + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'EXTRACTED_FILE_HTTP_SERVER_ENCRYPT', + TrueOrFalseNoQuote(fileCarveHttpServer and (len(fileCarveHttpServeEncryptKey) > 0)), + ), + # key for encrypted HTTP-served extracted files (' -> '' for escaping in YAML) + EnvValue( + os.path.join(args.configDir, 'zeek-secret.env'), + 'EXTRACTED_FILE_HTTP_SERVER_KEY', + fileCarveHttpServeEncryptKey, + ), + # virustotal API key + EnvValue( + os.path.join(args.configDir, 'zeek-secret.env'), + 'VTOT_API2_KEY', + vtotApiKey, + ), + # file scanning via yara + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'EXTRACTED_FILE_ENABLE_YARA', + TrueOrFalseNoQuote(yaraScan), + ), + # PE file scanning via capa + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'EXTRACTED_FILE_ENABLE_CAPA', + TrueOrFalseNoQuote(capaScan), + ), + # file scanning via clamav + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'EXTRACTED_FILE_ENABLE_CLAMAV', + TrueOrFalseNoQuote(clamAvScan), + ), + # rule updates (yara/capa via git, clamav via freshclam) + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'EXTRACTED_FILE_UPDATE_RULES', + TrueOrFalseNoQuote(fileScanRuleUpdate), + ), + # disable/enable ICS best guess + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'ZEEK_DISABLE_BEST_GUESS_ICS', + '' if zeekICSBestGuess else TrueOrFalseNoQuote(not zeekICSBestGuess), + ), + # live traffic analysis with Zeek + EnvValue( + os.path.join(args.configDir, 'zeek-live.env'), + 'ZEEK_LIVE_CAPTURE', + TrueOrFalseNoQuote(liveZeek), + ), + # rotated captured PCAP analysis with Zeek (not live capture) + EnvValue( + os.path.join(args.configDir, 'zeek-offline.env'), + 'ZEEK_ROTATED_PCAP', + TrueOrFalseNoQuote(autoZeek and (not liveZeek)), + ), + # automatic uploaded pcap analysis with Zeek + EnvValue( + os.path.join(args.configDir, 'zeek-offline.env'), + 'ZEEK_AUTO_ANALYZE_PCAP_FILES', + TrueOrFalseNoQuote(autoZeek), + ), + # Use polling for file watching vs. native + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'EXTRACTED_FILE_WATCHER_POLLING', + TrueOrFalseNoQuote(self.orchMode is OrchestrationFramework.KUBERNETES), + ), + EnvValue( + os.path.join(args.configDir, 'upload-common.env'), + 'PCAP_PIPELINE_POLLING', + TrueOrFalseNoQuote(self.orchMode is OrchestrationFramework.KUBERNETES), + ), + EnvValue( + os.path.join(args.configDir, 'filebeat.env'), + 'FILEBEAT_WATCHER_POLLING', + TrueOrFalseNoQuote(self.orchMode is OrchestrationFramework.KUBERNETES), + ), + ] - elif re.match(r'^\s*-.+:/zeek/logs(:.+)?\s*$', line): - # zeek's reference to the zeek-logs/current directory - line = ReplaceBindMountLocation( - line, - os.path.join(zeekLogDir, 'current'), - sectionIndents[currentSection] * 3, - ) + # now, go through and modify the values in the .env files + for val in EnvValues: + try: + touch(val.envFile) + except Exception: + pass - elif currentService == 'logstash': - # stuff specifically in the logstash section - if 'LS_JAVA_OPTS' in line: - # logstash memory allowance - line = re.sub(r'(-Xm[sx])(\w+)', fr'\g<1>{lsMemory}', line) - - if re.match(r'^[\s#]*-\s*"([\d\.]+:)?\d+:\d+"\s*$', line): - # set bind IP based on whether it should be externally exposed or not - line = re.sub( - r'^([\s#]*-\s*")([\d\.]+:)?(\d+:\d+"\s*)$', - fr"\g<1>{'0.0.0.0' if logstashOpen else '127.0.0.1'}:\g<3>", - line, - ) + try: + dotenv_imported.set_key( + val.envFile, + val.key, + val.value, + quote_mode='never', + encoding='utf-8', + ) + except Exception as e: + eprint(f"Setting value for {val.key} in {val.envFile} module failed: {e}") + + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # modify docker-compose specific values (port mappings, volume bind mounts, etc.) in-place in docker-compose files + for composeFile in configFiles: + # save off owner of original files + composeFileStat = os.stat(composeFile) + origUid, origGuid = composeFileStat[4], composeFileStat[5] + composeFileHandle = fileinput.FileInput(composeFile, inplace=True, backup=None) + try: + sectionIndents = defaultdict(lambda: ' ') + currentSection = None + currentService = None + networkWritten = False + + for line in composeFileHandle: + line = line.rstrip("\n") + skipLine = False + sectionStartLine = False + serviceStartLine = False + + # it would be cleaner to use something like PyYAML to do this, but I want to have as few dependencies + # as possible so we're going to do it janky instead. Also, as of right now pyyaml doesn't preserve + # comments, which is a big deal for this complicated docker-compose file. There is + # https://pypi.org/project/ruamel.yaml to possibly consider if we're comfortable with the dependency. + + # determine which section of the compose file we are in (e.g., services, networks, volumes, etc.) + sectionMatch = re.match(r'^([^\s#]+):\s*(#.*)?$', line) + if sectionMatch is not None: + currentSection = sectionMatch.group(1) + sectionStartLine = True + currentService = None + + # determine indentation for each compose file section (assumes YML file is consistently indented) + if (currentSection is not None) and (currentSection not in sectionIndents): + indentMatch = re.search(r'^(\s+)\S+\s*:\s*$', line) + if indentMatch is not None: + sectionIndents[currentSection] = indentMatch.group(1) + + # determine which service we're currently processing in the YML file + if currentSection == 'services': + serviceMatch = re.search(fr'^{sectionIndents[currentSection]}(\S+)\s*:\s*$', line) + if serviceMatch is not None: + currentService = serviceMatch.group(1).lower() + serviceStartLine = True + + if (currentSection == 'services') and (not serviceStartLine) and (currentService is not None): + # down in the individual services sections of the compose file + + if re.match(r'^\s*restart\s*:.*$', line): + # whether or not to restart services automatically (on boot, etc.) + line = f"{sectionIndents[currentSection] * 2}restart: {restartMode}" + + elif currentService == 'arkime': + # stuff specifically in the arkime section + if re.match(r'^\s*-.+:/data/pcap(:.+)?\s*$', line): + # Arkime's reference to the PCAP directory + line = ReplaceBindMountLocation( + line, + pcapDir, + sectionIndents[currentSection] * 3, + ) - elif currentService == 'opensearch': - # stuff specifically in the opensearch section - if 'OPENSEARCH_JAVA_OPTS' in line: - # OpenSearch memory allowance - line = re.sub(r'(-Xm[sx])(\w+)', fr'\g<1>{osMemory}', line) - - elif re.match(r'^\s*-.+:/usr/share/opensearch/data(:.+)?\s*$', line): - # OpenSearch indexes directory - line = ReplaceBindMountLocation( - line, - indexDir, - sectionIndents[currentSection] * 3, - ) + elif currentService == 'filebeat': + # stuff specifically in the filebeat section + if re.match(r'^[\s#]*-\s*"([\d\.]+:)?\d+:\d+"\s*$', line): + # set bind IP based on whether it should be externally exposed or not + line = re.sub( + r'^([\s#]*-\s*")([\d\.]+:)?(\d+:\d+"\s*)$', + fr"\g<1>{'0.0.0.0' if filebeatTcpOpen else '127.0.0.1'}:\g<3>", + line, + ) - elif re.match(r'^\s*-.+:/opt/opensearch/backup(:.+)?\s*$', line): - # OpenSearch backup directory - line = ReplaceBindMountLocation( - line, - indexSnapshotDir, - sectionIndents[currentSection] * 3, - ) + elif re.match(r'^\s*-.+:/suricata(:.+)?\s*$', line): + # filebeat's reference to the suricata-logs directory + line = ReplaceBindMountLocation( + line, + suricataLogDir, + sectionIndents[currentSection] * 3, + ) - elif currentService == 'pcap-capture': - # stuff specifically in the pcap-capture section - if re.match(r'^\s*-.+:/pcap(:.+)?\s*$', line): - # pcap-capture's reference to the PCAP directory - line = ReplaceBindMountLocation( - line, - os.path.join(pcapDir, 'upload'), - sectionIndents[currentSection] * 3, - ) + elif re.match(r'^\s*-.+:/zeek(:.+)?\s*$', line): + # filebeat's reference to the zeek-logs directory + line = ReplaceBindMountLocation( + line, + zeekLogDir, + sectionIndents[currentSection] * 3, + ) - elif currentService == 'pcap-monitor': - # stuff specifically in the pcap-monitor section - if re.match(r'^\s*-.+:/pcap(:.+)?\s*$', line): - # pcap-monitor's reference to the PCAP directory - line = ReplaceBindMountLocation( - line, - pcapDir, - sectionIndents[currentSection] * 3, - ) + elif currentService == 'file-monitor': + # stuff specifically in the file-monitor section + if re.match(r'^\s*-.+:/zeek/extract_files(:.+)?\s*$', line): + # file-monitor's reference to the zeek-logs/extract_files directory + line = ReplaceBindMountLocation( + line, + os.path.join(zeekLogDir, 'extract_files'), + sectionIndents[currentSection] * 3, + ) - elif re.match(r'^\s*-.+:/zeek(:.+)?\s*$', line): - # pcap-monitor's reference to the zeek-logs directory - line = ReplaceBindMountLocation( - line, - zeekLogDir, - sectionIndents[currentSection] * 3, - ) + elif re.match(r'^\s*-.+:/zeek/logs(:.+)?\s*$', line): + # zeek's reference to the zeek-logs/current directory + line = ReplaceBindMountLocation( + line, + os.path.join(zeekLogDir, 'current'), + sectionIndents[currentSection] * 3, + ) - elif currentService == 'suricata': - # stuff specifically in the suricata section - if re.match(r'^\s*-.+:/data/pcap(:.+)?\s*$', line): - # Suricata's reference to the PCAP directory - line = ReplaceBindMountLocation( - line, - pcapDir, - sectionIndents[currentSection] * 3, - ) + elif currentService == 'logstash': + # stuff specifically in the logstash section + if re.match(r'^[\s#]*-\s*"([\d\.]+:)?\d+:\d+"\s*$', line): + # set bind IP based on whether it should be externally exposed or not + line = re.sub( + r'^([\s#]*-\s*")([\d\.]+:)?(\d+:\d+"\s*)$', + fr"\g<1>{'0.0.0.0' if logstashOpen else '127.0.0.1'}:\g<3>", + line, + ) - elif re.match(r'^\s*-.+:/var/log/suricata(:.+)?\s*$', line): - # suricata's reference to the suricata-logs directory - line = ReplaceBindMountLocation( - line, - suricataLogDir, - sectionIndents[currentSection] * 3, - ) + elif currentService == 'opensearch': + # stuff specifically in the opensearch section + if re.match(r'^\s*-.+:/usr/share/opensearch/data(:.+)?\s*$', line): + # OpenSearch indexes directory + line = ReplaceBindMountLocation( + line, + indexDir, + sectionIndents[currentSection] * 3, + ) - elif currentService == 'suricata-live': - # stuff specifically in the suricata-live section - if re.match(r'^\s*-.+:/var/log/suricata(:.+)?\s*$', line): - # suricata-live's reference to the suricata-logs directory - line = ReplaceBindMountLocation( - line, - suricataLogDir, - sectionIndents[currentSection] * 3, - ) + elif re.match(r'^\s*-.+:/opt/opensearch/backup(:.+)?\s*$', line): + # OpenSearch backup directory + line = ReplaceBindMountLocation( + line, + indexSnapshotDir, + sectionIndents[currentSection] * 3, + ) - elif currentService == 'upload': - # stuff specifically in the upload section - if re.match(r'^[\s#]*-\s*"([\d\.]+:)?\d+:\d+"\s*$', line): - # set bind IP based on whether it should be externally exposed or not - line = re.sub( - r'^([\s#]*-\s*")([\d\.]+:)?(\d+:\d+"\s*)$', - fr"\g<1>{'0.0.0.0' if sftpOpen else '127.0.0.1'}:\g<3>", - line, - ) + elif currentService == 'pcap-capture': + # stuff specifically in the pcap-capture section + if re.match(r'^\s*-.+:/pcap(:.+)?\s*$', line): + # pcap-capture's reference to the PCAP directory + line = ReplaceBindMountLocation( + line, + os.path.join(pcapDir, 'upload'), + sectionIndents[currentSection] * 3, + ) - elif re.match(r'^\s*-.+:/var/www/upload/server/php/chroot/files(:.+)?\s*$', line): - # upload's reference to the PCAP directory - line = ReplaceBindMountLocation( - line, - os.path.join(pcapDir, 'upload'), - sectionIndents[currentSection] * 3, - ) + elif currentService == 'pcap-monitor': + # stuff specifically in the pcap-monitor section + if re.match(r'^\s*-.+:/pcap(:.+)?\s*$', line): + # pcap-monitor's reference to the PCAP directory + line = ReplaceBindMountLocation( + line, + pcapDir, + sectionIndents[currentSection] * 3, + ) - elif currentService == 'zeek': - # stuff specifically in the zeek section - if re.match(r'^\s*-.+:/pcap(:.+)?\s*$', line): - # Zeek's reference to the PCAP directory - line = ReplaceBindMountLocation( - line, - pcapDir, - sectionIndents[currentSection] * 3, - ) + elif re.match(r'^\s*-.+:/zeek(:.+)?\s*$', line): + # pcap-monitor's reference to the zeek-logs directory + line = ReplaceBindMountLocation( + line, + zeekLogDir, + sectionIndents[currentSection] * 3, + ) - elif re.match(r'^\s*-.+:/zeek/upload(:.+)?\s*$', line): - # zeek's reference to the zeek-logs/upload directory - line = ReplaceBindMountLocation( - line, - os.path.join(zeekLogDir, 'upload'), - sectionIndents[currentSection] * 3, - ) + elif currentService == 'suricata': + # stuff specifically in the suricata section + if re.match(r'^\s*-.+:/data/pcap(:.+)?\s*$', line): + # Suricata's reference to the PCAP directory + line = ReplaceBindMountLocation( + line, + pcapDir, + sectionIndents[currentSection] * 3, + ) - elif re.match(r'^\s*-.+:/zeek/extract_files(:.+)?\s*$', line): - # zeek's reference to the zeek-logs/extract_files directory - line = ReplaceBindMountLocation( - line, - os.path.join(zeekLogDir, 'extract_files'), - sectionIndents[currentSection] * 3, - ) + elif re.match(r'^\s*-.+:/var/log/suricata(:.+)?\s*$', line): + # suricata's reference to the suricata-logs directory + line = ReplaceBindMountLocation( + line, + suricataLogDir, + sectionIndents[currentSection] * 3, + ) - elif currentService == 'zeek-live': - # stuff specifically in the zeek-live section - if re.match(r'^\s*-.+:/zeek/live(:.+)?\s*$', line): - # zeek-live's reference to the zeek-logs/live directory - line = ReplaceBindMountLocation( - line, - os.path.join(zeekLogDir, 'live'), - sectionIndents[currentSection] * 3, - ) + elif currentService == 'suricata-live': + # stuff specifically in the suricata-live section + if re.match(r'^\s*-.+:/var/log/suricata(:.+)?\s*$', line): + # suricata-live's reference to the suricata-logs directory + line = ReplaceBindMountLocation( + line, + suricataLogDir, + sectionIndents[currentSection] * 3, + ) - elif re.match(r'^\s*-.+:/zeek/extract_files(:.+)?\s*$', line): - # zeek-lives's reference to the zeek-logs/extract_files directory - line = ReplaceBindMountLocation( - line, - os.path.join(zeekLogDir, 'extract_files'), - sectionIndents[currentSection] * 3, - ) + elif currentService == 'upload': + # stuff specifically in the upload section + if re.match(r'^[\s#]*-\s*"([\d\.]+:)?\d+:\d+"\s*$', line): + # set bind IP based on whether it should be externally exposed or not + line = re.sub( + r'^([\s#]*-\s*")([\d\.]+:)?(\d+:\d+"\s*)$', + fr"\g<1>{'0.0.0.0' if sftpOpen else '127.0.0.1'}:\g<3>", + line, + ) - elif currentService == 'nginx-proxy': - # stuff specifically in the nginx-proxy section + elif re.match(r'^\s*-.+:/var/www/upload/server/php/chroot/files(:.+)?\s*$', line): + # upload's reference to the PCAP directory + line = ReplaceBindMountLocation( + line, + os.path.join(pcapDir, 'upload'), + sectionIndents[currentSection] * 3, + ) - if re.match(r'^\s*test\s*:', line): - # set nginx-proxy health check based on whether they're using HTTPS or not - line = re.sub( - r'https?://localhost:\d+', - fr"{'https' if nginxSSL else 'http'}://localhost:443", - line, - ) + elif currentService == 'zeek': + # stuff specifically in the zeek section + if re.match(r'^\s*-.+:/pcap(:.+)?\s*$', line): + # Zeek's reference to the PCAP directory + line = ReplaceBindMountLocation( + line, + pcapDir, + sectionIndents[currentSection] * 3, + ) - elif re.match(r'^[\s#]*-\s*"([\d\.]+:)?\d+:\d+"\s*$', line): - # set bind IPs and ports based on whether it should be externally exposed or not - line = re.sub( - r'^([\s#]*-\s*")([\d\.]+:)?(\d+:\d+"\s*)$', - fr"\g<1>{'0.0.0.0' if nginxSSL and (((not '9200:9200' in line) and (not '5601:5601' in line)) or opensearchOpen) else '127.0.0.1'}:\g<3>", - line, - ) - if nginxSSL == False: - if ':443:' in line: - line = line.replace(':443:', ':80:') - if ':9200:' in line: - line = line.replace(':9200:', ':9201:') - else: - if ':80:' in line: - line = line.replace(':80:', ':443:') - if ':9201:' in line: - line = line.replace(':9201:', ':9200:') - - elif 'traefik.' in line: - # enable/disable/configure traefik labels if applicable - - # Traefik enabled vs. disabled - if 'traefik.enable' in line: - line = re.sub( - r'(#\s*)?(traefik\.enable\s*:\s*)(\S+)', - fr"\g<2>{TrueOrFalseQuote(behindReverseProxy and traefikLabels)}", + elif re.match(r'^\s*-.+:/zeek/upload(:.+)?\s*$', line): + # zeek's reference to the zeek-logs/upload directory + line = ReplaceBindMountLocation( line, + os.path.join(zeekLogDir, 'upload'), + sectionIndents[currentSection] * 3, ) - else: - line = re.sub( - r'(#\s*)?(traefik\..*)', - fr"{'' if traefikLabels else '# '}\g<2>", + + elif re.match(r'^\s*-.+:/zeek/extract_files(:.+)?\s*$', line): + # zeek's reference to the zeek-logs/extract_files directory + line = ReplaceBindMountLocation( line, + os.path.join(zeekLogDir, 'extract_files'), + sectionIndents[currentSection] * 3, ) - if 'traefik.http.' in line and '.osmalcolm.' in line: - # OpenSearch router enabled/disabled/host value - line = re.sub( - r'(#\s*)?(traefik\..*)', - fr"{'' if behindReverseProxy and traefikLabels and opensearchOpen else '# '}\g<2>", + elif currentService == 'zeek-live': + # stuff specifically in the zeek-live section + if re.match(r'^\s*-.+:/zeek/live(:.+)?\s*$', line): + # zeek-live's reference to the zeek-logs/live directory + line = ReplaceBindMountLocation( line, + os.path.join(zeekLogDir, 'live'), + sectionIndents[currentSection] * 3, ) - if ('.rule') in line: - line = re.sub( - r'(traefik\.http\.routers\.osmalcolm\.rule\s*:\s*)(\S+)', - fr"\g<1>'Host(`{traefikOpenSearchHost}`)'", - line, - ) - if 'traefik.http.routers.malcolm.rule' in line: - # Malcolm interface router host value - line = re.sub( - r'(traefik\.http\.routers\.malcolm\.rule\s*:\s*)(\S+)', - fr"\g<1>'Host(`{traefikHost}`)'", + elif re.match(r'^\s*-.+:/zeek/extract_files(:.+)?\s*$', line): + # zeek-lives's reference to the zeek-logs/extract_files directory + line = ReplaceBindMountLocation( line, + os.path.join(zeekLogDir, 'extract_files'), + sectionIndents[currentSection] * 3, ) - elif 'traefik.http.routers.' in line and '.entrypoints' in line: - # Malcolm routers entrypoints + elif currentService == 'nginx-proxy': + # stuff specifically in the nginx-proxy section + + if re.match(r'^\s*test\s*:', line): + # set nginx-proxy health check based on whether they're using HTTPS or not line = re.sub( - r'(traefik\.[\w\.]+\s*:\s*)(\S+)', - fr"\g<1>'{traefikEntrypoint}'", + r'https?://localhost:\d+', + fr"{'https' if nginxSSL else 'http'}://localhost:443", line, ) - elif 'traefik.http.routers.' in line and '.certresolver' in line: - # Malcolm routers resolvers + elif re.match(r'^[\s#]*-\s*"([\d\.]+:)?\d+:\d+"\s*$', line): + # set bind IPs and ports based on whether it should be externally exposed or not line = re.sub( - r'(traefik\.[\w\.]+\s*:\s*)(\S+)', - fr"\g<1>'{traefikResolver}'", + r'^([\s#]*-\s*")([\d\.]+:)?(\d+:\d+"\s*)$', + fr"\g<1>{'0.0.0.0' if nginxSSL and (((not '9200:9200' in line) and (not '5601:5601' in line)) or opensearchOpen) else '127.0.0.1'}:\g<3>", line, ) + if nginxSSL is False: + if ':443:' in line: + line = line.replace(':443:', ':80:') + if ':9200:' in line: + line = line.replace(':9200:', ':9201:') + else: + if ':80:' in line: + line = line.replace(':80:', ':443:') + if ':9201:' in line: + line = line.replace(':9201:', ':9200:') + + elif 'traefik.' in line: + # enable/disable/configure traefik labels if applicable + + # Traefik enabled vs. disabled + if 'traefik.enable' in line: + line = re.sub( + r'(#\s*)?(traefik\.enable\s*:\s*)(\S+)', + fr"\g<2>{TrueOrFalseQuote(behindReverseProxy and traefikLabels)}", + line, + ) + else: + line = re.sub( + r'(#\s*)?(traefik\..*)', + fr"{'' if traefikLabels else '# '}\g<2>", + line, + ) - elif currentSection == 'networks': - # re-write the network definition from scratch - if not sectionStartLine: - if not networkWritten: - print(f"{sectionIndents[currentSection]}default:") - print( - f"{sectionIndents[currentSection] * 2}external: {'true' if (len(dockerNetworkExternalName) > 0) else 'false'}" - ) - if len(dockerNetworkExternalName) > 0: - print(f"{sectionIndents[currentSection] * 2}name: {dockerNetworkExternalName}") - networkWritten = True - # we already re-wrote the network stuff, anything else is superfluous - skipLine = True + if 'traefik.http.' in line and '.osmalcolm.' in line: + # OpenSearch router enabled/disabled/host value + line = re.sub( + r'(#\s*)?(traefik\..*)', + fr"{'' if behindReverseProxy and traefikLabels and opensearchOpen else '# '}\g<2>", + line, + ) + if ('.rule') in line: + line = re.sub( + r'(traefik\.http\.routers\.osmalcolm\.rule\s*:\s*)(\S+)', + fr"\g<1>'Host(`{traefikOpenSearchHost}`)'", + line, + ) + + if 'traefik.http.routers.malcolm.rule' in line: + # Malcolm interface router host value + line = re.sub( + r'(traefik\.http\.routers\.malcolm\.rule\s*:\s*)(\S+)', + fr"\g<1>'Host(`{traefikHost}`)'", + line, + ) + + elif 'traefik.http.routers.' in line and '.entrypoints' in line: + # Malcolm routers entrypoints + line = re.sub( + r'(traefik\.[\w\.]+\s*:\s*)(\S+)', + fr"\g<1>'{traefikEntrypoint}'", + line, + ) + + elif 'traefik.http.routers.' in line and '.certresolver' in line: + # Malcolm routers resolvers + line = re.sub( + r'(traefik\.[\w\.]+\s*:\s*)(\S+)', + fr"\g<1>'{traefikResolver}'", + line, + ) + + elif currentSection == 'networks': + # re-write the network definition from scratch + if not sectionStartLine: + if not networkWritten: + print(f"{sectionIndents[currentSection]}default:") + print( + f"{sectionIndents[currentSection] * 2}external: {'true' if (len(dockerNetworkExternalName) > 0) else 'false'}" + ) + if len(dockerNetworkExternalName) > 0: + print(f"{sectionIndents[currentSection] * 2}name: {dockerNetworkExternalName}") + networkWritten = True + # we already re-wrote the network stuff, anything else is superfluous + skipLine = True - if not skipLine: - print(line) + if not skipLine: + print(line) - finally: - composeFileHandle.close() - # restore ownership - os.chown(composeFile, origUid, origGuid) + finally: + composeFileHandle.close() + # restore ownership + os.chown(composeFile, origUid, origGuid) try: - Touch(MalcolmCfgRunOnceFile) - except Exception as e: + touch(MalcolmCfgRunOnceFile) + except Exception: pass # if the Malcolm dir is owned by root, see if they want to reassign ownership to a non-root user @@ -1617,8 +1775,8 @@ def tweak_malcolm_runtime( ################################################################################################### class LinuxInstaller(Installer): # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - def __init__(self, debug=False, configOnly=False): - super().__init__(debug, configOnly) + def __init__(self, orchMode, debug=False, configOnly=False): + super().__init__(orchMode, debug, configOnly) self.distro = None self.codename = None @@ -1635,17 +1793,17 @@ def __init__(self, debug=False, configOnly=False): try: k, v = line.rstrip().split("=") osInfo[k] = v.strip('"') - except: + except Exception: pass if ('NAME' in osInfo) and (len(osInfo['NAME']) > 0): - distro = osInfo['NAME'].lower().split()[0] + self.distro = osInfo['NAME'].lower().split()[0] if ('VERSION_CODENAME' in osInfo) and (len(osInfo['VERSION_CODENAME']) > 0): - codename = osInfo['VERSION_CODENAME'].lower().split()[0] + self.codename = osInfo['VERSION_CODENAME'].lower().split()[0] if ('VERSION_ID' in osInfo) and (len(osInfo['VERSION_ID']) > 0): - release = osInfo['VERSION_ID'].lower().split()[0] + self.release = osInfo['VERSION_ID'].lower().split()[0] # try lsb_release next if self.distro is None: @@ -1709,31 +1867,31 @@ def __init__(self, debug=False, configOnly=False): raise Exception(f'{ScriptName} must be run as root, or {self.sudoCmd} must be available') # determine command to use to query if a package is installed - if Which('dpkg', debug=self.debug): + if which('dpkg', debug=self.debug): os.environ["DEBIAN_FRONTEND"] = "noninteractive" self.checkPackageCmds.append(['dpkg', '-s']) - elif Which('rpm', debug=self.debug): + elif which('rpm', debug=self.debug): self.checkPackageCmds.append(['rpm', '-q']) - elif Which('dnf', debug=self.debug): + elif which('dnf', debug=self.debug): self.checkPackageCmds.append(['dnf', 'list', 'installed']) - elif Which('yum', debug=self.debug): + elif which('yum', debug=self.debug): self.checkPackageCmds.append(['yum', 'list', 'installed']) # determine command to install a package from the distro's repos - if Which('apt-get', debug=self.debug): + if which('apt-get', debug=self.debug): self.installPackageCmds.append(['apt-get', 'install', '-y', '-qq']) - elif Which('apt', debug=self.debug): + elif which('apt', debug=self.debug): self.installPackageCmds.append(['apt', 'install', '-y', '-qq']) - elif Which('dnf', debug=self.debug): + elif which('dnf', debug=self.debug): self.installPackageCmds.append(['dnf', '-y', 'install', '--nobest']) - elif Which('yum', debug=self.debug): + elif which('yum', debug=self.debug): self.installPackageCmds.append(['yum', '-y', 'install']) # determine total system memory try: totalMemBytes = os.sysconf('SC_PAGE_SIZE') * os.sysconf('SC_PHYS_PAGES') self.totalMemoryGigs = math.ceil(totalMemBytes / (1024.0**3)) - except: + except Exception: self.totalMemoryGigs = 0.0 # determine total system memory a different way if the first way didn't work @@ -1746,7 +1904,7 @@ def __init__(self, debug=False, configOnly=False): # determine total system CPU cores try: self.totalCores = os.sysconf('SC_NPROCESSORS_ONLN') - except: + except Exception: self.totalCores = 0 # determine total system CPU cores a different way if the first way didn't work @@ -1761,194 +1919,203 @@ def install_docker(self): result = False - # first see if docker is already installed and runnable - err, out = self.run_process(['docker', 'info'], privileged=True) + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # first see if docker is already installed and runnable + err, out = self.run_process(['docker', 'info'], privileged=True) - if err == 0: - result = True - - elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True): - if InstallerYesOrNo('Attempt to install Docker using official repositories?', default=True): - # install required packages for repo-based install - if self.distro == PLATFORM_LINUX_UBUNTU: - requiredRepoPackages = [ - 'apt-transport-https', - 'ca-certificates', - 'curl', - 'gnupg-agent', - 'software-properties-common', - ] - elif self.distro == PLATFORM_LINUX_DEBIAN: - requiredRepoPackages = [ - 'apt-transport-https', - 'ca-certificates', - 'curl', - 'gnupg2', - 'software-properties-common', - ] - elif self.distro == PLATFORM_LINUX_FEDORA: - requiredRepoPackages = ['dnf-plugins-core'] - elif self.distro == PLATFORM_LINUX_CENTOS: - requiredRepoPackages = ['yum-utils', 'device-mapper-persistent-data', 'lvm2'] - else: - requiredRepoPackages = [] - - if len(requiredRepoPackages) > 0: - eprint(f"Installing required packages: {requiredRepoPackages}") - self.install_package(requiredRepoPackages) + if err == 0: + result = True - # install docker via repo if possible - dockerPackages = [] - if ((self.distro == PLATFORM_LINUX_UBUNTU) or (self.distro == PLATFORM_LINUX_DEBIAN)) and self.codename: - # for debian/ubuntu, add docker GPG key and check its fingerprint - if self.debug: - eprint("Requesting docker GPG key for package signing") - dockerGpgKey = requests_imported.get( - f'https://download.docker.com/linux/{self.distro}/gpg', allow_redirects=True - ) - err, out = self.run_process( - ['apt-key', 'add'], - stdin=dockerGpgKey.content.decode(sys.getdefaultencoding()), - privileged=True, - stderr=False, - ) - if err == 0: + elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True): + if InstallerYesOrNo('Attempt to install Docker using official repositories?', default=True): + # install required packages for repo-based install + if self.distro == PLATFORM_LINUX_UBUNTU: + requiredRepoPackages = [ + 'apt-transport-https', + 'ca-certificates', + 'curl', + 'gnupg-agent', + 'software-properties-common', + ] + elif self.distro == PLATFORM_LINUX_DEBIAN: + requiredRepoPackages = [ + 'apt-transport-https', + 'ca-certificates', + 'curl', + 'gnupg2', + 'software-properties-common', + ] + elif self.distro == PLATFORM_LINUX_FEDORA: + requiredRepoPackages = ['dnf-plugins-core'] + elif self.distro == PLATFORM_LINUX_CENTOS: + requiredRepoPackages = ['yum-utils', 'device-mapper-persistent-data', 'lvm2'] + else: + requiredRepoPackages = [] + + if len(requiredRepoPackages) > 0: + eprint(f"Installing required packages: {requiredRepoPackages}") + self.install_package(requiredRepoPackages) + + # install docker via repo if possible + dockerPackages = [] + if ( + (self.distro == PLATFORM_LINUX_UBUNTU) or (self.distro == PLATFORM_LINUX_DEBIAN) + ) and self.codename: + # for debian/ubuntu, add docker GPG key and check its fingerprint + if self.debug: + eprint("Requesting docker GPG key for package signing") + dockerGpgKey = requests_imported.get( + f'https://download.docker.com/linux/{self.distro}/gpg', allow_redirects=True + ) err, out = self.run_process( - ['apt-key', 'fingerprint', DEB_GPG_KEY_FINGERPRINT], privileged=True, stderr=False + ['apt-key', 'add'], + stdin=dockerGpgKey.content.decode(sys.getdefaultencoding()), + privileged=True, + stderr=False, ) + if err == 0: + err, out = self.run_process( + ['apt-key', 'fingerprint', DEB_GPG_KEY_FINGERPRINT], privileged=True, stderr=False + ) - # add docker .deb repository - if err == 0: + # add docker .deb repository + if err == 0: + if self.debug: + eprint("Adding docker repository") + err, out = self.run_process( + [ + 'add-apt-repository', + '-y', + '-r', + f'deb [arch=amd64] https://download.docker.com/linux/{self.distro} {self.codename} stable', + ], + privileged=True, + ) + err, out = self.run_process( + [ + 'add-apt-repository', + '-y', + '-u', + f'deb [arch=amd64] https://download.docker.com/linux/{self.distro} {self.codename} stable', + ], + privileged=True, + ) + + # docker packages to install + if err == 0: + dockerPackages.extend( + ['docker-ce', 'docker-ce-cli', 'docker-compose-plugin', 'containerd.io'] + ) + + elif self.distro == PLATFORM_LINUX_FEDORA: + # add docker fedora repository if self.debug: eprint("Adding docker repository") err, out = self.run_process( [ - 'add-apt-repository', + 'dnf', + 'config-manager', '-y', - '-r', - f'deb [arch=amd64] https://download.docker.com/linux/{self.distro} {self.codename} stable', + '--add-repo', + 'https://download.docker.com/linux/fedora/docker-ce.repo', ], privileged=True, ) + + # docker packages to install + if err == 0: + dockerPackages.extend( + ['docker-ce', 'docker-ce-cli', 'docker-compose-plugin', 'containerd.io'] + ) + + elif self.distro == PLATFORM_LINUX_CENTOS: + # add docker centos repository + if self.debug: + eprint("Adding docker repository") err, out = self.run_process( [ - 'add-apt-repository', + 'yum-config-manager', '-y', - '-u', - f'deb [arch=amd64] https://download.docker.com/linux/{self.distro} {self.codename} stable', + '--add-repo', + 'https://download.docker.com/linux/centos/docker-ce.repo', ], privileged=True, ) - # docker packages to install - if err == 0: - dockerPackages.extend(['docker-ce', 'docker-ce-cli', 'docker-compose-plugin', 'containerd.io']) - - elif self.distro == PLATFORM_LINUX_FEDORA: - # add docker fedora repository - if self.debug: - eprint("Adding docker repository") - err, out = self.run_process( - [ - 'dnf', - 'config-manager', - '-y', - '--add-repo', - 'https://download.docker.com/linux/fedora/docker-ce.repo', - ], - privileged=True, - ) - - # docker packages to install - if err == 0: - dockerPackages.extend(['docker-ce', 'docker-ce-cli', 'docker-compose-plugin', 'containerd.io']) - - elif self.distro == PLATFORM_LINUX_CENTOS: - # add docker centos repository - if self.debug: - eprint("Adding docker repository") - err, out = self.run_process( - [ - 'yum-config-manager', - '-y', - '--add-repo', - 'https://download.docker.com/linux/centos/docker-ce.repo', - ], - privileged=True, - ) + # docker packages to install + if err == 0: + dockerPackages.extend( + ['docker-ce', 'docker-ce-cli', 'docker-compose-plugin', 'containerd.io'] + ) - # docker packages to install - if err == 0: - dockerPackages.extend(['docker-ce', 'docker-ce-cli', 'docker-compose-plugin', 'containerd.io']) + else: + err, out = None, None - else: - err, out = None, None + if len(dockerPackages) > 0: + eprint(f"Installing docker packages: {dockerPackages}") + if self.install_package(dockerPackages): + eprint("Installation of docker packages apparently succeeded") + result = True + else: + eprint("Installation of docker packages failed") - if len(dockerPackages) > 0: - eprint(f"Installing docker packages: {dockerPackages}") - if self.install_package(dockerPackages): - eprint("Installation of docker packages apparently succeeded") - result = True + # the user either chose not to use the official repos, the official repo installation failed, or there are not official repos available + # see if we want to attempt using the convenience script at https://get.docker.com (see https://github.com/docker/docker-install) + if not result and InstallerYesOrNo( + 'Docker not installed via official repositories. Attempt to install Docker via convenience script (please read https://github.com/docker/docker-install)?', + default=False, + ): + tempFileName = os.path.join(self.tempDirName, 'docker-install.sh') + if DownloadToFile("https://get.docker.com/", tempFileName, debug=self.debug): + os.chmod(tempFileName, 493) # 493 = 0o755 + err, out = self.run_process(([tempFileName]), privileged=True) + if err == 0: + eprint("Installation of docker apparently succeeded") + result = True + else: + eprint(f"Installation of docker failed: {out}") else: - eprint("Installation of docker packages failed") + eprint(f"Downloading https://get.docker.com/ to {tempFileName} failed") - # the user either chose not to use the official repos, the official repo installation failed, or there are not official repos available - # see if we want to attempt using the convenience script at https://get.docker.com (see https://github.com/docker/docker-install) - if not result and InstallerYesOrNo( - 'Docker not installed via official repositories. Attempt to install Docker via convenience script (please read https://github.com/docker/docker-install)?', - default=False, - ): - tempFileName = os.path.join(self.tempDirName, 'docker-install.sh') - if DownloadToFile("https://get.docker.com/", tempFileName, debug=self.debug): - os.chmod(tempFileName, 493) # 493 = 0o755 - err, out = self.run_process(([tempFileName]), privileged=True) - if err == 0: - eprint("Installation of docker apparently succeeded") - result = True - else: - eprint(f"Installation of docker failed: {out}") + if result and ((self.distro == PLATFORM_LINUX_FEDORA) or (self.distro == PLATFORM_LINUX_CENTOS)): + # centos/fedora don't automatically start/enable the daemon, so do so now + err, out = self.run_process(['systemctl', 'start', 'docker'], privileged=True) + if err == 0: + err, out = self.run_process(['systemctl', 'enable', 'docker'], privileged=True) + if err != 0: + eprint(f"Enabling docker service failed: {out}") else: - eprint(f"Downloading {dockerComposeUrl} to {tempFileName} failed") - - if result and ((self.distro == PLATFORM_LINUX_FEDORA) or (self.distro == PLATFORM_LINUX_CENTOS)): - # centos/fedora don't automatically start/enable the daemon, so do so now - err, out = self.run_process(['systemctl', 'start', 'docker'], privileged=True) - if err == 0: - err, out = self.run_process(['systemctl', 'enable', 'docker'], privileged=True) - if err != 0: - eprint(f"Enabling docker service failed: {out}") - else: - eprint(f"Starting docker service failed: {out}") - - # at this point we either have installed docker successfully or we have to give up, as we've tried all we could - err, out = self.run_process(['docker', 'info'], privileged=True, retry=6, retrySleepSec=5) - if result and (err == 0): - if self.debug: - eprint('"docker info" succeeded') + eprint(f"Starting docker service failed: {out}") - # add non-root user to docker group if required - usersToAdd = [] - if self.scriptUser == 'root': - while InstallerYesOrNo( - f"Add {'a' if len(usersToAdd) == 0 else 'another'} non-root user to the \"docker\" group?" - ): - tmpUser = InstallerAskForString('Enter user account') - if len(tmpUser) > 0: - usersToAdd.append(tmpUser) - else: - usersToAdd.append(self.scriptUser) + # at this point we either have installed docker successfully or we have to give up, as we've tried all we could + err, out = self.run_process(['docker', 'info'], privileged=True, retry=6, retrySleepSec=5) + if result and (err == 0): + if self.debug: + eprint('"docker info" succeeded') - for user in usersToAdd: - err, out = self.run_process(['usermod', '-a', '-G', 'docker', user], privileged=True) - if err == 0: - if self.debug: - eprint(f'Adding {user} to "docker" group succeeded') + # add non-root user to docker group if required + usersToAdd = [] + if self.scriptUser == 'root': + while InstallerYesOrNo( + f"Add {'a' if len(usersToAdd) == 0 else 'another'} non-root user to the \"docker\" group?" + ): + tmpUser = InstallerAskForString('Enter user account') + if len(tmpUser) > 0: + usersToAdd.append(tmpUser) else: - eprint(f'Adding {user} to "docker" group failed') + usersToAdd.append(self.scriptUser) + + for user in usersToAdd: + err, out = self.run_process(['usermod', '-a', '-G', 'docker', user], privileged=True) + if err == 0: + if self.debug: + eprint(f'Adding {user} to "docker" group succeeded') + else: + eprint(f'Adding {user} to "docker" group failed') - elif err != 0: - result = False - raise Exception(f'{ScriptName} requires docker, please see {DOCKER_INSTALL_URLS[self.distro]}') + elif err != 0: + result = False + raise Exception(f'{ScriptName} requires docker, please see {DOCKER_INSTALL_URLS[self.distro]}') return result @@ -1956,81 +2123,82 @@ def install_docker(self): def install_docker_compose(self): result = False - dockerComposeCmd = 'docker-compose' - if not Which(dockerComposeCmd, debug=self.debug): - if os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'): - dockerComposeCmd = '/usr/libexec/docker/cli-plugins/docker-compose' - elif os.path.isfile('/usr/local/bin/docker-compose'): - dockerComposeCmd = '/usr/local/bin/docker-compose' + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + dockerComposeCmd = 'docker-compose' + if not which(dockerComposeCmd, debug=self.debug): + if os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'): + dockerComposeCmd = '/usr/libexec/docker/cli-plugins/docker-compose' + elif os.path.isfile('/usr/local/bin/docker-compose'): + dockerComposeCmd = '/usr/local/bin/docker-compose' - # first see if docker-compose is already installed and runnable (try non-root and root) - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False) - if err != 0: - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True) + # first see if docker-compose is already installed and runnable (try non-root and root) + err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False) + if err != 0: + err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True) + + if (err != 0) and InstallerYesOrNo( + '"docker-compose version" failed, attempt to install docker-compose?', default=True + ): + if InstallerYesOrNo('Install docker-compose directly from docker github?', default=True): + # download docker-compose from github and put it in /usr/local/bin + + # need to know some linux platform info + unames = [] + err, out = self.run_process((['uname', '-s'])) + if (err == 0) and (len(out) > 0): + unames.append(out[0].lower()) + err, out = self.run_process((['uname', '-m'])) + if (err == 0) and (len(out) > 0): + unames.append(out[0].lower()) + if len(unames) == 2: + # download docker-compose from github and save it to a temporary file + tempFileName = os.path.join(self.tempDirName, dockerComposeCmd) + dockerComposeUrl = f"https://github.com/docker/compose/releases/download/v{DOCKER_COMPOSE_INSTALL_VERSION}/docker-compose-{unames[0]}-{unames[1]}" + if DownloadToFile(dockerComposeUrl, tempFileName, debug=self.debug): + os.chmod(tempFileName, 493) # 493 = 0o755, mark as executable + # put docker-compose into /usr/local/bin + err, out = self.run_process( + (['cp', '-f', tempFileName, '/usr/local/bin/docker-compose']), privileged=True + ) + if err == 0: + eprint("Download and installation of docker-compose apparently succeeded") + dockerComposeCmd = '/usr/local/bin/docker-compose' + else: + raise Exception(f'Error copying {tempFileName} to /usr/local/bin: {out}') - if (err != 0) and InstallerYesOrNo( - '"docker-compose version" failed, attempt to install docker-compose?', default=True - ): - if InstallerYesOrNo('Install docker-compose directly from docker github?', default=True): - # download docker-compose from github and put it in /usr/local/bin - - # need to know some linux platform info - unames = [] - err, out = self.run_process((['uname', '-s'])) - if (err == 0) and (len(out) > 0): - unames.append(out[0].lower()) - err, out = self.run_process((['uname', '-m'])) - if (err == 0) and (len(out) > 0): - unames.append(out[0].lower()) - if len(unames) == 2: - # download docker-compose from github and save it to a temporary file - tempFileName = os.path.join(self.tempDirName, dockerComposeCmd) - dockerComposeUrl = f"https://github.com/docker/compose/releases/download/v{DOCKER_COMPOSE_INSTALL_VERSION}/docker-compose-{unames[0]}-{unames[1]}" - if DownloadToFile(dockerComposeUrl, tempFileName, debug=self.debug): - os.chmod(tempFileName, 493) # 493 = 0o755, mark as executable - # put docker-compose into /usr/local/bin - err, out = self.run_process( - (['cp', '-f', tempFileName, '/usr/local/bin/docker-compose']), privileged=True - ) - if err == 0: - eprint("Download and installation of docker-compose apparently succeeded") - dockerComposeCmd = '/usr/local/bin/docker-compose' else: - raise Exception(f'Error copying {tempFileName} to /usr/local/bin: {out}') + eprint(f"Downloading {dockerComposeUrl} to {tempFileName} failed") + elif InstallerYesOrNo('Install docker-compose via pip (privileged)?', default=False): + # install docker-compose via pip (as root) + err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=True) + if err == 0: + eprint("Installation of docker-compose apparently succeeded") else: - eprint(f"Downloading {dockerComposeUrl} to {tempFileName} failed") - - elif InstallerYesOrNo('Install docker-compose via pip (privileged)?', default=False): - # install docker-compose via pip (as root) - err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=True) - if err == 0: - eprint("Installation of docker-compose apparently succeeded") - else: - eprint(f"Install docker-compose via pip failed with {err}, {out}") + eprint(f"Install docker-compose via pip failed with {err}, {out}") - elif InstallerYesOrNo('Install docker-compose via pip (user)?', default=True): - # install docker-compose via pip (regular user) - err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=False) - if err == 0: - eprint("Installation of docker-compose apparently succeeded") - else: - eprint(f"Install docker-compose via pip failed with {err}, {out}") + elif InstallerYesOrNo('Install docker-compose via pip (user)?', default=True): + # install docker-compose via pip (regular user) + err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=False) + if err == 0: + eprint("Installation of docker-compose apparently succeeded") + else: + eprint(f"Install docker-compose via pip failed with {err}, {out}") - # see if docker-compose is now installed and runnable (try non-root and root) - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False) - if err != 0: - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True) + # see if docker-compose is now installed and runnable (try non-root and root) + err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False) + if err != 0: + err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True) - if err == 0: - result = True - if self.debug: - eprint('"docker-compose version" succeeded') + if err == 0: + result = True + if self.debug: + eprint('"docker-compose version" succeeded') - else: - raise Exception( - f'{ScriptName} requires docker-compose, please see {DOCKER_COMPOSE_INSTALL_URLS[self.platform]}' - ) + else: + raise Exception( + f'{ScriptName} requires docker-compose, please see {DOCKER_COMPOSE_INSTALL_URLS[self.platform]}' + ) return result @@ -2183,8 +2351,8 @@ def tweak_system_files(self): ################################################################################################### class MacInstaller(Installer): # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - def __init__(self, debug=False, configOnly=False): - super().__init__(debug, configOnly) + def __init__(self, orchMode, debug=False, configOnly=False): + super().__init__(orchMode, debug, configOnly) self.sudoCmd = [] @@ -2197,7 +2365,6 @@ def __init__(self, debug=False, configOnly=False): else: self.useBrew = False - eprint('Docker can be installed and maintained with Homebrew, or manually.') if (not brewInstalled) and ( not InstallerYesOrNo('Homebrew is not installed: continue with manual installation?', default=False) ): @@ -2230,7 +2397,7 @@ def __init__(self, debug=False, configOnly=False): try: totalMemBytes = os.sysconf('SC_PAGE_SIZE') * os.sysconf('SC_PHYS_PAGES') self.totalMemoryGigs = math.ceil(totalMemBytes / (1024.0**3)) - except: + except Exception: self.totalMemoryGigs = 0.0 # determine total system memory a different way if the first way didn't work @@ -2243,7 +2410,7 @@ def __init__(self, debug=False, configOnly=False): # determine total system CPU cores try: self.totalCores = os.sysconf('SC_NPROCESSORS_ONLN') - except: + except Exception: self.totalCores = 0 # determine total system CPU cores a different way if the first way didn't work @@ -2256,145 +2423,150 @@ def __init__(self, debug=False, configOnly=False): def install_docker(self): result = False - # first see if docker is already installed/runnable - err, out = self.run_process(['docker', 'info']) + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # first see if docker is already installed/runnable + err, out = self.run_process(['docker', 'info']) - if (err != 0) and self.useBrew and self.package_is_installed(MAC_BREW_DOCKER_PACKAGE): - # if docker is installed via brew, but not running, prompt them to start it - eprint(f'{MAC_BREW_DOCKER_PACKAGE} appears to be installed via Homebrew, but "docker info" failed') - while True: - response = InstallerAskForString( - 'Starting Docker the first time may require user interaction. Please find and start Docker in the Applications folder, then return here and type YES' - ).lower() - if response == 'yes': - break - err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) + if (err != 0) and self.useBrew and self.package_is_installed(MAC_BREW_DOCKER_PACKAGE): + # if docker is installed via brew, but not running, prompt them to start it + eprint(f'{MAC_BREW_DOCKER_PACKAGE} appears to be installed via Homebrew, but "docker info" failed') + while True: + response = InstallerAskForString( + 'Starting Docker the first time may require user interaction. Please find and start Docker in the Applications folder, then return here and type YES' + ).lower() + if response == 'yes': + break + err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) - # did docker info work? - if err == 0: - result = True + # did docker info work? + if err == 0: + result = True - elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True): - if self.useBrew: - # install docker via brew cask (requires user interaction) - dockerPackages = [MAC_BREW_DOCKER_PACKAGE, "docker-compose"] - eprint(f"Installing docker packages: {dockerPackages}") - if self.install_package(dockerPackages): - eprint("Installation of docker packages apparently succeeded") - while True: - response = InstallerAskForString( - 'Starting Docker the first time may require user interaction. Please find and start Docker in the Applications folder, then return here and type YES' - ).lower() - if response == 'yes': - break - else: - eprint("Installation of docker packages failed") + elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True): + if self.useBrew: + # install docker via brew cask (requires user interaction) + dockerPackages = [MAC_BREW_DOCKER_PACKAGE, "docker-compose"] + eprint(f"Installing docker packages: {dockerPackages}") + if self.install_package(dockerPackages): + eprint("Installation of docker packages apparently succeeded") + while True: + response = InstallerAskForString( + 'Starting Docker the first time may require user interaction. Please find and start Docker in the Applications folder, then return here and type YES' + ).lower() + if response == 'yes': + break + else: + eprint("Installation of docker packages failed") - else: - # install docker via downloaded dmg file (requires user interaction) - dlDirName = f'/Users/{self.scriptUser}/Downloads' - if os.path.isdir(dlDirName): - tempFileName = os.path.join(dlDirName, 'Docker.dmg') else: - tempFileName = os.path.join(self.tempDirName, 'Docker.dmg') - if DownloadToFile('https://download.docker.com/mac/edge/Docker.dmg', tempFileName, debug=self.debug): - while True: - response = InstallerAskForString( - f'Installing and starting Docker the first time may require user interaction. Please open Finder and install {tempFileName}, start Docker from the Applications folder, then return here and type YES' - ).lower() - if response == 'yes': - break + # install docker via downloaded dmg file (requires user interaction) + dlDirName = f'/Users/{self.scriptUser}/Downloads' + if os.path.isdir(dlDirName): + tempFileName = os.path.join(dlDirName, 'Docker.dmg') + else: + tempFileName = os.path.join(self.tempDirName, 'Docker.dmg') + if DownloadToFile( + 'https://download.docker.com/mac/edge/Docker.dmg', tempFileName, debug=self.debug + ): + while True: + response = InstallerAskForString( + f'Installing and starting Docker the first time may require user interaction. Please open Finder and install {tempFileName}, start Docker from the Applications folder, then return here and type YES' + ).lower() + if response == 'yes': + break + + # at this point we either have installed docker successfully or we have to give up, as we've tried all we could + err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) + if err == 0: + result = True + if self.debug: + eprint('"docker info" succeeded') - # at this point we either have installed docker successfully or we have to give up, as we've tried all we could - err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) - if err == 0: - result = True - if self.debug: - eprint('"docker info" succeeded') + elif err != 0: + raise Exception( + f'{ScriptName} requires docker edge, please see {DOCKER_INSTALL_URLS[self.platform]}' + ) elif err != 0: raise Exception(f'{ScriptName} requires docker edge, please see {DOCKER_INSTALL_URLS[self.platform]}') - elif err != 0: - raise Exception(f'{ScriptName} requires docker edge, please see {DOCKER_INSTALL_URLS[self.platform]}') - - # tweak CPU/RAM usage for Docker in Mac - settingsFile = MAC_BREW_DOCKER_SETTINGS.format(self.scriptUser) - if ( - result - and os.path.isfile(settingsFile) - and InstallerYesOrNo(f'Configure Docker resource usage in {settingsFile}?', default=True) - ): - # adjust CPU and RAM based on system resources - if self.totalCores >= 16: - newCpus = 12 - elif self.totalCores >= 12: - newCpus = 8 - elif self.totalCores >= 8: - newCpus = 6 - elif self.totalCores >= 4: - newCpus = 4 - else: - newCpus = 2 - - if self.totalMemoryGigs >= 64.0: - newMemoryGiB = 32 - elif self.totalMemoryGigs >= 32.0: - newMemoryGiB = 24 - elif self.totalMemoryGigs >= 24.0: - newMemoryGiB = 16 - elif self.totalMemoryGigs >= 16.0: - newMemoryGiB = 12 - elif self.totalMemoryGigs >= 8.0: - newMemoryGiB = 8 - elif self.totalMemoryGigs >= 4.0: - newMemoryGiB = 4 - else: - newMemoryGiB = 2 - - while not InstallerYesOrNo( - f"Setting {newCpus if newCpus else '(unchanged)'} for CPU cores and {newMemoryGiB if newMemoryGiB else '(unchanged)'} GiB for RAM. Is this OK?", - default=True, + # tweak CPU/RAM usage for Docker in Mac + settingsFile = MAC_BREW_DOCKER_SETTINGS.format(self.scriptUser) + if ( + result + and os.path.isfile(settingsFile) + and InstallerYesOrNo(f'Configure Docker resource usage in {settingsFile}?', default=True) ): - newCpus = InstallerAskForString('Enter Docker CPU cores (e.g., 4, 8, 16)') - newMemoryGiB = InstallerAskForString('Enter Docker RAM MiB (e.g., 8, 16, etc.)') - - if newCpus or newMemoryMiB: - with open(settingsFile, 'r+') as f: - data = json.load(f) - if newCpus: - data['cpus'] = int(newCpus) - if newMemoryGiB: - data['memoryMiB'] = int(newMemoryGiB) * 1024 - f.seek(0) - json.dump(data, f, indent=2) - f.truncate() - - # at this point we need to essentially update our system memory stats because we're running inside docker - # and don't have the whole banana at our disposal - self.totalMemoryGigs = newMemoryGiB - - eprint("Docker resource settings adjusted, attempting restart...") - - err, out = self.run_process(['osascript', '-e', 'quit app "Docker"']) - if err == 0: - time.sleep(5) - err, out = self.run_process(['open', '-a', 'Docker']) + # adjust CPU and RAM based on system resources + if self.totalCores >= 16: + newCpus = 12 + elif self.totalCores >= 12: + newCpus = 8 + elif self.totalCores >= 8: + newCpus = 6 + elif self.totalCores >= 4: + newCpus = 4 + else: + newCpus = 2 + + if self.totalMemoryGigs >= 64.0: + newMemoryGiB = 32 + elif self.totalMemoryGigs >= 32.0: + newMemoryGiB = 24 + elif self.totalMemoryGigs >= 24.0: + newMemoryGiB = 16 + elif self.totalMemoryGigs >= 16.0: + newMemoryGiB = 12 + elif self.totalMemoryGigs >= 8.0: + newMemoryGiB = 8 + elif self.totalMemoryGigs >= 4.0: + newMemoryGiB = 4 + else: + newMemoryGiB = 2 - if err == 0: - err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) + while not InstallerYesOrNo( + f"Setting {newCpus if newCpus else '(unchanged)'} for CPU cores and {newMemoryGiB if newMemoryGiB else '(unchanged)'} GiB for RAM. Is this OK?", + default=True, + ): + newCpus = InstallerAskForString('Enter Docker CPU cores (e.g., 4, 8, 16)') + newMemoryGiB = InstallerAskForString('Enter Docker RAM MiB (e.g., 8, 16, etc.)') + + if newCpus or newMemoryGiB: + with open(settingsFile, 'r+') as f: + data = json.load(f) + if newCpus: + data['cpus'] = int(newCpus) + if newMemoryGiB: + data['memoryMiB'] = int(newMemoryGiB) * 1024 + f.seek(0) + json.dump(data, f, indent=2) + f.truncate() + + # at this point we need to essentially update our system memory stats because we're running inside docker + # and don't have the whole banana at our disposal + self.totalMemoryGigs = newMemoryGiB + + eprint("Docker resource settings adjusted, attempting restart...") + + err, out = self.run_process(['osascript', '-e', 'quit app "Docker"']) if err == 0: - if self.debug: - eprint('"docker info" succeeded') + time.sleep(5) + err, out = self.run_process(['open', '-a', 'Docker']) - else: - eprint(f"Restarting Docker automatically failed: {out}") - while True: - response = InstallerAskForString( - 'Please restart Docker via the system taskbar, then return here and type YES' - ).lower() - if response == 'yes': - break + if err == 0: + err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) + if err == 0: + if self.debug: + eprint('"docker info" succeeded') + + else: + eprint(f"Restarting Docker automatically failed: {out}") + while True: + response = InstallerAskForString( + 'Please restart Docker via the system taskbar, then return here and type YES' + ).lower() + if response == 'yes': + break return result @@ -2404,7 +2576,9 @@ def install_docker(self): def main(): global args global requests_imported + global kube_imported global yaml_imported + global dotenv_imported # extract arguments from the command line # print (sys.argv[1:]); @@ -2452,7 +2626,17 @@ def main(): metavar='', type=str, default='', - help='Single docker-compose YML file to configure', + help='YAML file (docker-compose file to configure or kubeconfig file)', + ) + parser.add_argument( + '-e', + '--environment-dir', + required=False, + dest='configDir', + metavar='', + type=str, + default=None, + help="Directory containing Malcolm's .env files", ) parser.add_argument( '-d', @@ -2465,7 +2649,6 @@ def main(): help="Accept defaults to prompts without user interaction", ) parser.add_argument( - '-l', '--logstash-expose', dest='exposeLogstash', type=str2bool, @@ -2475,7 +2658,6 @@ def main(): help="Expose Logstash port to external hosts", ) parser.add_argument( - '-e', '--opensearch-expose', dest='exposeOpenSearch', type=str2bool, @@ -2485,7 +2667,6 @@ def main(): help="Expose OpenSearch port to external hosts", ) parser.add_argument( - '-t', '--filebeat-tcp-expose', dest='exposeFilebeatTcp', type=str2bool, @@ -2495,7 +2676,6 @@ def main(): help="Expose Filebeat TCP port to external hosts", ) parser.add_argument( - '-s', '--sftp-expose', dest='exposeSFTP', type=str2bool, @@ -2522,6 +2702,9 @@ def main(): parser.print_help() exit(2) + if os.path.islink(os.path.join(ScriptPath, ScriptName)) and ScriptName.startswith('configure'): + args.configOnly = True + if args.debug: eprint(os.path.join(ScriptPath, ScriptName)) eprint(f"Arguments: {sys.argv[1:]}") @@ -2531,12 +2714,23 @@ def main(): requests_imported = RequestsDynamic(debug=args.debug, forceInteraction=(not args.acceptDefaultsNonInteractive)) yaml_imported = YAMLDynamic(debug=args.debug, forceInteraction=(not args.acceptDefaultsNonInteractive)) + dotenv_imported = DotEnvDynamic(debug=args.debug, forceInteraction=(not args.acceptDefaultsNonInteractive)) if args.debug: eprint(f"Imported requests: {requests_imported}") eprint(f"Imported yaml: {yaml_imported}") - if (not requests_imported) or (not yaml_imported): + eprint(f"Imported dotenv: {dotenv_imported}") + if (not requests_imported) or (not yaml_imported) or (not dotenv_imported): exit(2) + orchMode = OrchestrationFramework.UNKNOWN + if args.configFile and os.path.isfile(args.configFile): + if not ( + (orchMode := DetermineYamlFileFormat(args.configFile)) and (orchMode in OrchestrationFrameworksSupported) + ): + raise Exception(f'{args.configFile} must be a docker-compose or kubeconfig YAML file') + else: + orchMode = OrchestrationFramework.DOCKER_COMPOSE + # If Malcolm and images tarballs are provided, we will use them. # If they are not provided, look in the pwd first, then in the script directory, to see if we # can locate the most recent tarballs @@ -2572,12 +2766,12 @@ def main(): installerPlatform = platform.system() if installerPlatform == PLATFORM_LINUX: - installer = LinuxInstaller(debug=args.debug, configOnly=args.configOnly) + installer = LinuxInstaller(orchMode, debug=args.debug, configOnly=args.configOnly) elif installerPlatform == PLATFORM_MAC: - installer = MacInstaller(debug=args.debug, configOnly=args.configOnly) + installer = MacInstaller(orchMode, debug=args.debug, configOnly=args.configOnly) elif installerPlatform == PLATFORM_WINDOWS: raise Exception(f'{ScriptName} is not yet supported on {installerPlatform}') - installer = WindowsInstaller(debug=args.debug, configOnly=args.configOnly) + # installer = WindowsInstaller(orchMode, debug=args.debug, configOnly=args.configOnly) success = False installPath = None @@ -2585,22 +2779,56 @@ def main(): if not args.configOnly: if hasattr(installer, 'install_required_packages'): success = installer.install_required_packages() - if hasattr(installer, 'install_docker'): + if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_docker'): success = installer.install_docker() - if hasattr(installer, 'install_docker_compose'): + if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_docker_compose'): success = installer.install_docker_compose() if hasattr(installer, 'tweak_system_files'): success = installer.tweak_system_files() - if hasattr(installer, 'install_docker_images'): + if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_docker_images'): success = installer.install_docker_images(imageFile) - if args.configOnly or (args.configFile and os.path.isfile(args.configFile)): - if not args.configFile: - for testPath in [origPath, ScriptPath, os.path.realpath(os.path.join(ScriptPath, ".."))]: - if os.path.isfile(os.path.join(testPath, "docker-compose.yml")): - installPath = testPath + # if .env directory is unspecified, use the default ./config directory + if args.configDir is None: + args.configDir = os.path.join(MalcolmPath, 'config') + try: + os.makedirs(args.configDir) + except OSError as exc: + if (exc.errno == errno.EEXIST) and os.path.isdir(args.configDir): + pass + else: + raise + + if orchMode is OrchestrationFramework.KUBERNETES: + kube_imported = KubernetesDynamic(debug=args.debug) + if args.debug: + eprint(f"Imported kubernetes: {kube_imported}") + if kube_imported: + kube_imported.config.load_kube_config(args.configFile) else: + raise Exception( + f'{ScriptName} requires the official Python client library for kubernetes for {orchMode} mode' + ) + + if ( + args.configOnly + or (args.configFile and os.path.isfile(args.configFile)) + or (args.configDir and os.path.isdir(args.configDir)) + ): + if args.configFile and os.path.isfile(args.configFile): installPath = os.path.dirname(os.path.realpath(args.configFile)) + + elif args.configDir and os.path.isfile(args.configDir): + installPath = os.path.dirname(os.path.realpath(args.configDir)) + + else: + for testPath in [origPath, ScriptPath, os.path.realpath(os.path.join(ScriptPath, ".."))]: + if os.path.isfile(os.path.join(testPath, "docker-compose.yml")) or os.path.isdir( + os.path.join(testPath, "config") + ): + installPath = testPath + break + success = (installPath is not None) and os.path.isdir(installPath) if args.debug: eprint(f"Malcolm installation detected at {installPath}") diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh index 53db37ca0..8eb037d9e 100755 --- a/scripts/malcolm_appliance_packager.sh +++ b/scripts/malcolm_appliance_packager.sh @@ -67,7 +67,7 @@ if mkdir "$DESTDIR"; then mkdir $VERBOSE -p "$DESTDIR/htadmin/" mkdir $VERBOSE -p "$DESTDIR/logstash/certs/" mkdir $VERBOSE -p "$DESTDIR/logstash/maps/" - mkdir $VERBOSE -p "$DESTDIR/netbox/env/" + mkdir $VERBOSE -p "$DESTDIR/netbox/" mkdir $VERBOSE -p "$DESTDIR/netbox/media/" mkdir $VERBOSE -p "$DESTDIR/netbox/postgres/" mkdir $VERBOSE -p "$DESTDIR/netbox/redis/" @@ -77,6 +77,7 @@ if mkdir "$DESTDIR"; then mkdir $VERBOSE -p "$DESTDIR/opensearch/nodes/" mkdir $VERBOSE -p "$DESTDIR/pcap/processed/" mkdir $VERBOSE -p "$DESTDIR/pcap/upload/" + mkdir $VERBOSE -p "$DESTDIR/config/" mkdir $VERBOSE -p "$DESTDIR/scripts/" mkdir $VERBOSE -p "$DESTDIR/suricata-logs/live" mkdir $VERBOSE -p "$DESTDIR/suricata/rules/" @@ -89,17 +90,30 @@ if mkdir "$DESTDIR"; then mkdir $VERBOSE -p "$DESTDIR/zeek-logs/upload/" mkdir $VERBOSE -p "$DESTDIR/zeek/intel/MISP" mkdir $VERBOSE -p "$DESTDIR/zeek/intel/STIX" + + cp $VERBOSE ./config/*.example "$DESTDIR/config/" cp $VERBOSE ./docker-compose-standalone.yml "$DESTDIR/docker-compose.yml" - touch "$DESTDIR/"auth.env cp $VERBOSE ./net-map.json "$DESTDIR/" cp $VERBOSE ./scripts/install.py "$DESTDIR/scripts/" cp $VERBOSE ./scripts/control.py "$DESTDIR/scripts/" cp $VERBOSE ./scripts/malcolm_common.py "$DESTDIR/scripts/" + cp $VERBOSE ./scripts/malcolm_kubernetes.py "$DESTDIR/scripts/" + cp $VERBOSE ./scripts/malcolm_utils.py "$DESTDIR/scripts/" cp $VERBOSE ./README.md "$DESTDIR/" cp $VERBOSE ./logstash/certs/*.conf "$DESTDIR/logstash/certs/" cp $VERBOSE ./logstash/maps/malcolm_severity.yaml "$DESTDIR/logstash/maps/" cp $VERBOSE -r ./netbox/config/ "$DESTDIR/netbox/" - cp $VERBOSE ./netbox/env/netbox.env.example "$DESTDIR/netbox/env/" + + unset CONFIRMATION + echo "" + read -p "Package Kubernetes manifests in addition to docker-compose.yml [y/N]? " CONFIRMATION + CONFIRMATION=${CONFIRMATION:-N} + if [[ $CONFIRMATION =~ ^[Yy]$ ]]; then + mkdir $VERBOSE -p "$DESTDIR/kubernetes/" + cp $VERBOSE ./kubernetes/*.* "$DESTDIR/kubernetes/" + grep -v '^#' ./kubernetes/.gitignore | xargs -r -I XXX rm -f "$DESTDIR/kubernetes/XXX" + fi + pushd "$DESTDIR" >/dev/null 2>&1 touch ./.opensearch.primary.curlrc ./.opensearch.secondary.curlrc chmod 600 ./.opensearch.primary.curlrc ./.opensearch.secondary.curlrc @@ -113,12 +127,16 @@ if mkdir "$DESTDIR"; then ln -s ./control.py status ln -s ./control.py stop ln -s ./control.py wipe + ln -s ./install.py configure popd >/dev/null 2>&1 pushd .. >/dev/null 2>&1 DESTNAME="$RUN_PATH/$(basename $DESTDIR).tar.gz" README="$RUN_PATH/$(basename $DESTDIR).README.txt" cp $VERBOSE "$SCRIPT_PATH/install.py" "$RUN_PATH/" cp $VERBOSE "$SCRIPT_PATH/malcolm_common.py" "$RUN_PATH/" + cp $VERBOSE "$SCRIPT_PATH/malcolm_kubernetes.py" "$RUN_PATH/" + cp $VERBOSE "$SCRIPT_PATH/malcolm_utils.py" "$RUN_PATH/" + tar -czf $VERBOSE "$DESTNAME" "./$(basename $DESTDIR)/" echo "Packaged Malcolm to \"$DESTNAME\"" @@ -153,9 +171,8 @@ if mkdir "$DESTDIR"; then echo " - OpenSearch Dashboards: https://localhost/dashboards/" | tee -a "$README" echo " - PCAP upload (web): https://localhost/upload/" | tee -a "$README" echo " - PCAP upload (sftp): sftp://USERNAME@127.0.0.1:8022/files/" | tee -a "$README" - echo " - Host and subnet name mapping editor: https://localhost/name-map-ui/" | tee -a "$README" echo " - NetBox: https://localhost/netbox/" | tee -a "$README" - echo " - Account management: https://localhost:488/" | tee -a "$README" + echo " - Account management: https://localhost/auth/" | tee -a "$README" echo " - Documentation: https://localhost/readme/" | tee -a "$README" popd >/dev/null 2>&1 popd >/dev/null 2>&1 diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py index ad956ee39..8dfb84a3b 100644 --- a/scripts/malcolm_common.py +++ b/scripts/malcolm_common.py @@ -3,8 +3,6 @@ # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. -import argparse -import contextlib import getpass import importlib import json @@ -13,23 +11,25 @@ import re import string import sys -import time - -from enum import IntFlag, auto - -try: - from pwd import getpwuid -except ImportError: - getpwuid = None -from subprocess import PIPE, STDOUT, Popen, CalledProcessError +import malcolm_utils +from malcolm_utils import ( + deep_get, + eprint, + EscapeAnsi, + LoadStrIfJson, + remove_suffix, + run_process, + str2bool, +) from collections import defaultdict, namedtuple +from enum import Flag, IntFlag, auto try: - from collections.abc import Iterable + from pwd import getpwuid except ImportError: - from collections import Iterable + getpwuid = None try: from dialog import Dialog @@ -39,6 +39,14 @@ Dialog = None MainDialog = None +try: + from colorama import init as ColoramaInit, Fore, Back, Style + + ColoramaInit() + coloramaImported = True +except Exception: + coloramaImported = False + ################################################################################################### ScriptPath = os.path.dirname(os.path.realpath(__file__)) MalcolmPath = os.path.abspath(os.path.join(ScriptPath, os.pardir)) @@ -90,75 +98,13 @@ class UserInterfaceMode(IntFlag): HOMEBREW_INSTALL_URLS = defaultdict(lambda: 'https://brew.sh/') -################################################################################################### -# chdir to directory as context manager, returning automatically -@contextlib.contextmanager -def pushd(directory): - prevDir = os.getcwd() - os.chdir(directory) - try: - yield - finally: - os.chdir(prevDir) - - -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) - - -################################################################################################### -def EscapeAnsi(line): - ansiEscape = re.compile(r'(?:\x1B[@-_]|[\x80-\x9F])[0-?]*[ -/]*[@-~]') - return ansiEscape.sub('', line) +class OrchestrationFramework(Flag): + UNKNOWN = auto() + DOCKER_COMPOSE = auto() + KUBERNETES = auto() -################################################################################################### -def EscapeForCurl(s): - return s.translate( - str.maketrans( - { - '"': r'\"', - "\\": r"\\", - "\t": r"\t", - "\n": r"\n", - "\r": r"\r", - "\v": r"\v", - } - ) - ) - - -################################################################################################### -def custom_make_translation(text, translation): - regex = re.compile('|'.join(map(re.escape, translation))) - return regex.sub(lambda match: translation[match.group(0)], text) - - -################################################################################################## -def UnescapeForCurl(s): - return custom_make_translation( - s, - { - r'\"': '"', - r"\t": "\t", - r"\n": "\n", - r"\r": "\r", - r"\v": "\v", - r"\\": "\\", - }, - ) - - -################################################################################################### -# if the object is an iterable, return it, otherwise return a tuple with it as a single element. -# useful if you want to user either a scalar or an array in a loop, etc. -def GetIterable(x): - if isinstance(x, Iterable) and not isinstance(x, str): - return x - else: - return (x,) +OrchestrationFrameworksSupported = OrchestrationFramework.DOCKER_COMPOSE | OrchestrationFramework.KUBERNETES ################################################################################################## @@ -175,7 +121,7 @@ def ReplaceBindMountLocation(line, location, linePrefix): def LocalPathForContainerBindMount(service, dockerComposeContents, containerPath, localBasePath=None): localPath = None if service and dockerComposeContents and containerPath: - vols = DeepGet(dockerComposeContents, ['services', service, 'volumes']) + vols = deep_get(dockerComposeContents, ['services', service, 'volumes']) if (vols is not None) and (len(vols) > 0): for vol in vols: volSplit = vol.split(':') @@ -190,75 +136,22 @@ def LocalPathForContainerBindMount(service, dockerComposeContents, containerPath ################################################################################################## -def GetUidGidFromComposeFile(composeFile): +def GetUidGidFromEnv(configDir=None): + configDirToCheck = configDir if configDir and os.path.isdir(configDir) else os.path.join(MalcolmPath, 'config') uidGidDict = defaultdict(str) - pyPlatform = platform.system() - uidGidDict['PUID'] = f'{os.getuid()}' if (pyPlatform != PLATFORM_WINDOWS) else '1000' - uidGidDict['PGID'] = f'{os.getgid()}' if (pyPlatform != PLATFORM_WINDOWS) else '1000' - if os.path.isfile(composeFile): - with open(composeFile, 'r') as f: - composeFileLines = f.readlines() - uidGidDict.update( - dict( - x.split(':') - for x in [ - ''.join(x.split()) for x in composeFileLines if re.search(r'^\s*P[UG]ID\s*:\s*\d+\s*$', x) - ] - ) - ) - return uidGidDict - - -################################################################################################### -def same_file_or_dir(path1, path2): - try: - return os.path.samefile(path1, path2) - except Exception: - return False - - -################################################################################################### -# parse a curl-formatted config file, with special handling for user:password and URL -# see https://everything.curl.dev/cmdline/configfile -# e.g.: -# -# given .opensearch.primary.curlrc containing: -# - -# user: "sikari:changethis" -# insecure -# - -# -# ParseCurlFile('.opensearch.primary.curlrc') returns: -# { -# 'user': 'sikari', -# 'password': 'changethis', -# 'insecure': '' -# } -def ParseCurlFile(curlCfgFileName): - result = defaultdict(lambda: None) - if os.path.isfile(curlCfgFileName): - itemRegEx = re.compile(r'^([^\s:=]+)((\s*[:=]?\s*)(.*))?$') - with open(curlCfgFileName, 'r') as f: - allLines = [x.strip().lstrip('-') for x in f.readlines() if not x.startswith('#')] - for line in allLines: - found = itemRegEx.match(line) - if found is not None: - key = found.group(1) - value = UnescapeForCurl(found.group(4).lstrip('"').rstrip('"')) - if (key == 'user') and (':' in value): - splitVal = value.split(':', 1) - result[key] = splitVal[0] - if len(splitVal) > 1: - result['password'] = splitVal[1] - else: - result[key] = value - - return result - + if dotEnvImported := DotEnvDynamic(): + pyPlatform = platform.system() + uidGidDict['PUID'] = f'{os.getuid()}' if (pyPlatform != PLATFORM_WINDOWS) else '1000' + uidGidDict['PGID'] = f'{os.getgid()}' if (pyPlatform != PLATFORM_WINDOWS) else '1000' + envFileName = os.path.join(configDirToCheck, 'process.env') + if os.path.isfile(envFileName): + envValues = dotEnvImported.dotenv_values(envFileName) + if 'PUID' in envValues: + uidGidDict['PUID'] = envValues['PUID'] + if 'PGID' in envValues: + uidGidDict['PGID'] = envValues['PGID'] -################################################################################################### -def contains_whitespace(s): - return True in [c in s for c in string.whitespace] + return uidGidDict ################################################################################################### @@ -602,22 +495,6 @@ def DisplayProgramBox( return reply -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if isinstance(v, bool): - return v - elif isinstance(v, str): - if v.lower() in ("yes", "true", "t", "y", "1"): - return True - elif v.lower() in ("no", "false", "f", "n", "0"): - return False - else: - raise ValueError("Boolean value expected") - else: - raise ValueError("Boolean value expected") - - ################################################################################################### # Dies if $value isn't positive. NoneType is also acceptable def posInt(value): @@ -626,122 +503,11 @@ def posInt(value): ivalue = int(value) if ivalue <= 0: - raise argparse.ArgumentTypeError("{} is an invalid positive int value".format(value)) + raise ValueError("{} is an invalid positive int value".format(value)) return ivalue -################################################################################################### -# determine if a program/script exists and is executable in the system path -def Which(cmd, debug=False): - result = any(os.access(os.path.join(path, cmd), os.X_OK) for path in os.environ["PATH"].split(os.pathsep)) - if debug: - eprint(f"Which {cmd} returned {result}") - return result - - -################################################################################################### -# nice human-readable file sizes -def SizeHumanFormat(num, suffix='B'): - for unit in ['', 'Ki', 'Mi', 'Gi', 'Ti', 'Pi', 'Ei', 'Zi']: - if abs(num) < 1024.0: - return f"{num:3.1f}{unit}{suffix}" - num /= 1024.0 - return f"{num:.1f}{'Yi'}{suffix}" - - -################################################################################################### -# is this string valid json? if so, load and return it -def LoadStrIfJson(jsonStr): - try: - return json.loads(jsonStr) - except ValueError: - return None - - -################################################################################################### -# safe deep get for a dictionary -# -# Example: -# d = {'meta': {'status': 'OK', 'status_code': 200}} -# DeepGet(d, ['meta', 'status_code']) # => 200 -# DeepGet(d, ['garbage', 'status_code']) # => None -# DeepGet(d, ['meta', 'garbage'], default='-') # => '-' -def DeepGet(d, keys, default=None): - assert type(keys) is list - if d is None: - return default - if not keys: - return d - return DeepGet(d.get(keys[0]), keys[1:], default) - - -################################################################################################### -# run command with arguments and return its exit code, stdout, and stderr -def check_output_input(*popenargs, **kwargs): - if 'stdout' in kwargs: - raise ValueError('stdout argument not allowed, it will be overridden') - - if 'stderr' in kwargs: - raise ValueError('stderr argument not allowed, it will be overridden') - - if 'input' in kwargs and kwargs['input']: - if 'stdin' in kwargs: - raise ValueError('stdin and input arguments may not both be used') - inputdata = kwargs['input'] - kwargs['stdin'] = PIPE - else: - inputdata = None - kwargs.pop('input', None) - - process = Popen(*popenargs, stdout=PIPE, stderr=PIPE, **kwargs) - try: - output, errput = process.communicate(inputdata) - except Exception: - process.kill() - process.wait() - raise - - retcode = process.poll() - - return retcode, output, errput - - -################################################################################################### -# run command with arguments and return its exit code, stdout, and stderr -def run_process( - command, stdout=True, stderr=True, stdin=None, retry=0, retrySleepSec=5, cwd=None, env=None, debug=False -): - retcode = -1 - output = [] - - try: - # run the command - retcode, cmdout, cmderr = check_output_input( - command, input=stdin.encode() if stdin else stdin, cwd=cwd, env=env - ) - - # split the output on newlines to return a list - if stderr and (len(cmderr) > 0): - output.extend(cmderr.decode(sys.getdefaultencoding()).split('\n')) - if stdout and (len(cmdout) > 0): - output.extend(cmdout.decode(sys.getdefaultencoding()).split('\n')) - - except (FileNotFoundError, OSError, IOError): - if stderr: - output.append(f"Command {command} not found or unable to execute") - - if debug: - eprint(f"{command}({stdin[:80] + bool(stdin[80:]) * '...' if stdin else ''}) returned {retcode}: {output}") - - if (retcode != 0) and retry and (retry > 0): - # sleep then retry - time.sleep(retrySleepSec) - return run_process(command, stdout, stderr, stdin, retry - 1, retrySleepSec, cwd, env, debug) - else: - return retcode, output - - ################################################################################################### # attempt dynamic imports, prompting for install via pip if possible DynImports = defaultdict(lambda: None) @@ -766,12 +532,12 @@ def DoDynamicImport(importName, pipPkgName, interactive=False, debug=False): pyPlatform = platform.system() pyExec = sys.executable pipCmd = "pip3" - if not Which(pipCmd, debug=debug): + if not malcolm_utils.which(pipCmd, debug=debug): pipCmd = "pip" eprint(f"The {pipPkgName} module is required under Python {platform.python_version()} ({pyExec})") - if interactive and Which(pipCmd, debug=debug): + if interactive and malcolm_utils.which(pipCmd, debug=debug): if YesOrNo(f"Importing the {pipPkgName} module failed. Attempt to install via {pipCmd}?"): installCmd = None @@ -815,24 +581,57 @@ def YAMLDynamic(debug=False, forceInteraction=False): return DoDynamicImport("yaml", "pyyaml", interactive=forceInteraction, debug=debug) +def KubernetesDynamic(verifySsl=False, debug=False, forceInteraction=False): + return DoDynamicImport("kubernetes", "kubernetes", interactive=forceInteraction, debug=debug) + + +def DotEnvDynamic(debug=False, forceInteraction=False): + return DoDynamicImport("dotenv", "python-dotenv", interactive=forceInteraction, debug=debug) + + ################################################################################################### # do the required auth files for Malcolm exist? -def MalcolmAuthFilesExist(): +def MalcolmAuthFilesExist(configDir=None): + configDirToCheck = ( + configDir if configDir is not None and os.path.isdir(configDir) else os.path.join(MalcolmPath, 'config') + ) return ( os.path.isfile(os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd'))) and os.path.isfile(os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf'))) and os.path.isfile(os.path.join(MalcolmPath, os.path.join('nginx', os.path.join('certs', 'cert.pem')))) and os.path.isfile(os.path.join(MalcolmPath, os.path.join('nginx', os.path.join('certs', 'key.pem')))) and os.path.isfile(os.path.join(MalcolmPath, os.path.join('htadmin', 'config.ini'))) - and os.path.isfile(os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'netbox.env')))) - and os.path.isfile(os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'postgres.env')))) - and os.path.isfile(os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'redis-cache.env')))) - and os.path.isfile(os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'redis.env')))) - and os.path.isfile(os.path.join(MalcolmPath, 'auth.env')) + and os.path.isfile(os.path.join(configDirToCheck, 'netbox-secret.env')) + and os.path.isfile(os.path.join(configDirToCheck, 'netbox-postgres.env')) + and os.path.isfile(os.path.join(configDirToCheck, 'netbox-redis-cache.env')) + and os.path.isfile(os.path.join(configDirToCheck, 'netbox-redis.env')) + and os.path.isfile(os.path.join(configDirToCheck, 'auth.env')) and os.path.isfile(os.path.join(MalcolmPath, '.opensearch.primary.curlrc')) ) +################################################################################################### +# determine if a YAML file looks like a docker-compose.yml file or a kubeconfig file +def DetermineYamlFileFormat(inputFileName): + result = OrchestrationFramework.UNKNOWN + + if yamlImported := YAMLDynamic(): + try: + with open(inputFileName, 'r') as cf: + orchestrationYaml = yamlImported.safe_load(cf) + + if isinstance(orchestrationYaml, dict): + if any(key in orchestrationYaml for key in ('apiVersion', 'clusters', 'contexts', 'kind')): + result = OrchestrationFramework.KUBERNETES + elif 'services' in orchestrationYaml: + result = OrchestrationFramework.DOCKER_COMPOSE + + except Exception as e: + eprint(f'Error deciphering {inputFileName}: {e}') + + return result + + ################################################################################################### # download to file def DownloadToFile(url, local_filename, debug=False): @@ -845,34 +644,202 @@ def DownloadToFile(url, local_filename, debug=False): fSize = os.path.getsize(local_filename) if debug: eprint( - f"Download of {url} to {local_filename} {'succeeded' if fExists else 'failed'} ({SizeHumanFormat(fSize)})" + f"Download of {url} to {local_filename} {'succeeded' if fExists else 'failed'} ({malcolm_utils.sizeof_fmt(fSize)})" ) return fExists and (fSize > 0) ################################################################################################### -# recursively remove empty subfolders -def RemoveEmptyFolders(path, removeRoot=True): - if not os.path.isdir(path): - return - - files = os.listdir(path) - if len(files): - for f in files: - fullpath = os.path.join(path, f) - if os.path.isdir(fullpath): - RemoveEmptyFolders(fullpath) - - files = os.listdir(path) - if len(files) == 0 and removeRoot: - try: - os.rmdir(path) - except Exception: - pass +# process log line from containers' output + +URL_USER_PASS_REGEX = re.compile(r'(\w+://[^/]+?:)[^/]+?(@[^/]+)') + +# noisy logs (a lot of it is NGINX logs from health checks) +LOG_IGNORE_REGEX = re.compile( + r""" +.+( + deprecated + | "GET\s+/\s+HTTP/1\.\d+"\s+200\s+- + | \bGET.+\b302\s+30\b + | (async|output)\.go.+(reset\s+by\s+peer|Connecting\s+to\s+backoff|backoff.+established$) + | /(opensearch-dashboards|dashboards|kibana)/(api/ui_metric/report|internal/search/(es|opensearch)) + | (Error\s+during\s+file\s+comparison|File\s+was\s+renamed):\s+/zeek/live/logs/ + | /_ns_/nstest\.html + | /usr/share/logstash/x-pack/lib/filters/geoip/database_manager + | \b(d|es)?stats\.json + | \b1.+GET\s+/\s+.+401.+curl + | _cat/indices + | branding.*config\s+is\s+not\s+found\s+or\s+invalid + | but\s+there\s+are\s+no\s+living\s+connections + | Connecting\s+to\s+backoff + | curl.+localhost.+GET\s+/api/status\s+200 + | DEPRECATION + | descheduling\s+job\s*id + | eshealth + | esindices/list + | executing\s+attempt_(transition|set_replica_count)\s+for + | GET\s+/(netbox/api|_cat/health|api/status|sessions2-|arkime_\w+).+HTTP/[\d\.].+\b200\b + | loaded\s+config\s+'/etc/netbox/config/ + | "netbox"\s+application\s+started + | \[notice\].+app\s+process\s+\d+\s+exited\s+with\s+code\s+0\b + | kube-probe/ + | POST\s+/(arkime_\w+)(/\w+)?/_(d?stat|doc|search).+HTTP/[\d\.].+\b20[01]\b + | POST\s+/_bulk\s+HTTP/[\d\.].+\b20[01]\b + | POST\s+/server/php/\s+HTTP/\d+\.\d+"\s+\d+\s+\d+.*:8443/ + | POST\s+HTTP/[\d\.].+\b200\b + | reaped\s+unknown\s+pid + | redis.*(changes.+seconds.+Saving|Background\s+saving\s+(started|terminated)|DB\s+saved\s+on\s+disk|Fork\s+CoW) + | remov(ed|ing)\s+(old\s+file|dead\s+symlink|empty\s+directory) + | retry\.go.+(send\s+unwait|done$) + | running\s+full\s+sweep + | saved_objects + | scheduling\s+job\s*id.+opendistro-ism + | SSL/TLS\s+verifications\s+disabled + | Successfully\s+handled\s+GET\s+request\s+for\s+'/' + | Test\s+run\s+complete.*:failed=>0,\s*:errored=>0\b + | throttling\s+index + | update_mapping + | updating\s+number_of_replicas + | use_field_mapping + | Using\s+geoip\s+database +) +""", + re.VERBOSE | re.IGNORECASE, +) +# logs we don't want to eliminate, but we don't want to repeat ad-nauseum +# TODO: not implemented yet +# dupeRegEx = re.compile( +# r""" +# .+( +# Maybe the destination pipeline is down or stopping +# ) +# """, +# re.VERBOSE | re.IGNORECASE, +# ) -################################################################################################### -# open a file and close it, updating its access time -def Touch(filename): - open(filename, 'a').close() - os.utime(filename, None) +SERVICE_REGEX = re.compile(r'^(?P.+?\|)\s*(?P.*)$') + +CONTAINER_REPL_REGEX = re.compile(r'([\w\.-]+)-container(\s*\|)') + +ISO8601_TIME_REGEX = re.compile( + r'^(-?(?:[1-9][0-9]*)?[0-9]{4})-(1[0-2]|0[1-9])-(3[01]|0[1-9]|[12][0-9])T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-](?:2[0-3]|[01][0-9]):[0-5][0-9])?$' +) + + +def ProcessLogLine(line, debug=False): + global ISO8601_TIME_REGEX + global LOG_IGNORE_REGEX + global SERVICE_REGEX + global URL_USER_PASS_REGEX + + outputStr = CONTAINER_REPL_REGEX.sub(r"\1\2", URL_USER_PASS_REGEX.sub(r"\1xxxxxxxx\2", line.decode().strip())) + outputStrEscaped = EscapeAnsi(outputStr) + if LOG_IGNORE_REGEX.match(outputStrEscaped): + return None + else: + serviceMatch = SERVICE_REGEX.search(outputStrEscaped) + serviceMatchFmt = SERVICE_REGEX.search(outputStr) if coloramaImported else serviceMatch + serviceStr = serviceMatchFmt.group('service').replace('-container', '') if (serviceMatchFmt is not None) else '' + + messageStr = serviceMatch.group('message') if (serviceMatch is not None) else '' + messageStrSplit = messageStr.split(' ') + messageTimeMatch = ISO8601_TIME_REGEX.match(messageStrSplit[0]) + if (messageTimeMatch is None) or (len(messageStrSplit) <= 1): + messageStrToTestJson = messageStr + else: + messageStrToTestJson = messageStrSplit[1:].join(' ') + + outputJson = LoadStrIfJson(messageStrToTestJson) + if isinstance(outputJson, dict): + # if there's a timestamp, move it outside of the JSON to the beginning of the log string + timeKey = None + if 'time' in outputJson: + timeKey = 'time' + elif 'timestamp' in outputJson: + timeKey = 'timestamp' + elif '@timestamp' in outputJson: + timeKey = '@timestamp' + timeStr = '' + if timeKey is not None: + timeStr = f"{outputJson[timeKey]} " + outputJson.pop(timeKey, None) + elif messageTimeMatch is not None: + timeStr = f"{messageTimeMatch[0]} " + + if ('job.schedule' in outputJson) and ('job.position' in outputJson) and ('job.command' in outputJson): + # this is a status line line from supercronic, let's format and clean it up so it fits in better with the rest of the logs + + # remove some clutter for the display + for noisyKey in ['level', 'channel', 'iteration', 'job.position', 'job.schedule']: + outputJson.pop(noisyKey, None) + + # if it's just command and message, format those NOT as JSON + jobCmd = outputJson['job.command'] + jobStatus = outputJson['msg'] + if (len(outputJson.keys()) == 2) and ('job.command' in outputJson) and ('msg' in outputJson): + # if it's the most common status (starting or job succeeded) then don't print unless debug mode + if debug or ((jobStatus != 'starting') and (jobStatus != 'job succeeded')): + return ( + f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr} {jobCmd}: {jobStatus}" + ) + else: + return None + + else: + # standardize and print the JSON line + return ( + f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{json.dumps(outputJson)}" + ) + + elif 'dashboards' in serviceStr: + # this is an line line from dashboards, let's clean it up a bit: remove some clutter for the display + for noisyKey in ['type', 'tags', 'pid', 'method', 'prevState', 'prevMsg']: + outputJson.pop(noisyKey, None) + + # standardize and print the JSON line + return f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{json.dumps(outputJson)}" + + elif 'filebeat' in serviceStr: + # this is an line line from filebeat, let's clean it up a bit: remove some clutter for the display + for noisyKey in [ + 'ecs.version', + 'harvester_id', + 'input_id', + 'log.level', + 'log.logger', + 'log.origin', + 'os_id', + 'service.name', + 'state_id', + ]: + outputJson.pop(noisyKey, None) + + # we'll fancify a couple of common things from filebeat + if ( + (len(outputJson.keys()) == 3) + and ('message' in outputJson) + and ('source_file' in outputJson) + and ('finished' in outputJson) + ): + return f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{outputJson['message'].rstrip('.')}: {outputJson['source_file']}" + + elif len(outputJson.keys()) == 1: + outputKey = next(iter(outputJson)) + return f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{outputKey + ': ' if outputKey != 'message' else ''}{outputJson[outputKey]}" + + else: + # standardize and print the JSON line + return ( + f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{json.dumps(outputJson)}" + ) + + else: + # standardize and print the JSON line + return f"{serviceStr}{Style.RESET_ALL if coloramaImported else ''} {timeStr}{json.dumps(outputJson)}" + + else: + # just a regular non-JSON string, print as-is + return outputStr if coloramaImported else outputStrEscaped + + return None diff --git a/scripts/malcolm_kubernetes.py b/scripts/malcolm_kubernetes.py new file mode 100644 index 000000000..9dc88a517 --- /dev/null +++ b/scripts/malcolm_kubernetes.py @@ -0,0 +1,820 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. + +import base64 +import glob +import os + +from concurrent.futures import ThreadPoolExecutor, as_completed +from collections import defaultdict +from itertools import chain +from io import StringIO + +from malcolm_common import ( + DotEnvDynamic, + KubernetesDynamic, + MalcolmPath, + YAMLDynamic, +) +from malcolm_utils import ( + deep_get, + dictsearch, + eprint, + get_iterable, + file_contents, + remove_suffix, + tablify, + LoadStrIfJson, + val2bool, +) + + +################################################################################################### +MALCOLM_IMAGE_PREFIX = 'ghcr.io/idaholab/malcolm/' + +MALCOLM_DOTFILE_SECRET_KEY = 'K8S_SECRET' + +MALCOLM_CONFIGMAPS = { + 'etc-nginx': [ + { + 'secret': True, + 'path': os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf')), + }, + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join('nginx', 'nginx.conf')), + }, + ], + 'var-local-catrust': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join('nginx', 'ca-trust')), + }, + ], + 'etc-nginx-certs': [ + { + 'secret': True, + 'path': os.path.join(MalcolmPath, os.path.join('nginx', 'certs')), + }, + ], + 'etc-nginx-certs-pem': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join(os.path.join('nginx', 'certs'), 'dhparam.pem')), + }, + ], + 'etc-nginx-auth': [ + { + 'secret': True, + 'path': os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd')), + }, + ], + 'opensearch-curlrc': [ + { + 'secret': True, + 'path': os.path.join(MalcolmPath, '.opensearch.primary.curlrc'), + }, + { + 'secret': True, + 'path': os.path.join(MalcolmPath, '.opensearch.secondary.curlrc'), + }, + ], + 'opensearch-keystore': [ + { + 'secret': True, + 'path': os.path.join(MalcolmPath, os.path.join('opensearch', 'opensearch.keystore')), + }, + ], + 'logstash-certs': [ + { + 'secret': True, + 'path': os.path.join(MalcolmPath, os.path.join('logstash', 'certs')), + }, + ], + 'logstash-maps': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join('logstash', 'maps')), + }, + ], + 'logstash-keystore': [ + { + 'secret': True, + 'path': os.path.join(MalcolmPath, os.path.join('logstash', 'logstash.keystore')), + }, + ], + 'yara-rules': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join('yara', 'rules')), + }, + ], + 'suricata-rules': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join('suricata', 'rules')), + }, + ], + 'filebeat-certs': [ + { + 'secret': True, + 'path': os.path.join(MalcolmPath, os.path.join('filebeat', 'certs')), + }, + ], + 'netbox-netmap-json': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, 'net-map.json'), + }, + ], + 'netbox-config': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join(os.path.join('netbox', 'config'), 'configuration')), + }, + ], + 'netbox-reports': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join(os.path.join('netbox', 'config'), 'reports')), + }, + ], + 'netbox-scripts': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join(os.path.join('netbox', 'config'), 'scripts')), + }, + ], + 'htadmin-config': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join('htadmin', 'config.ini')), + }, + { + 'secret': True, + 'path': os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata')), + }, + ], +} + +REQUIRED_VOLUME_OBJECTS = { + 'pcap-claim': 'PersistentVolumeClaim', + 'zeek-claim': 'PersistentVolumeClaim', + 'suricata-claim': 'PersistentVolumeClaim', + 'config-claim': 'PersistentVolumeClaim', + 'runtime-logs-claim': 'PersistentVolumeClaim', + 'opensearch-claim': 'PersistentVolumeClaim', + 'opensearch-backup-claim': 'PersistentVolumeClaim', + # the PersistentVolumes themselves aren't used directly, + # so we only need to define the PersistentVolumeClaims + # 'pcap-volume': 'PersistentVolume', + # 'zeek-volume': 'PersistentVolume', + # 'suricata-volume': 'PersistentVolume', + # 'config-volume': 'PersistentVolume', + # 'runtime-logs-volume': 'PersistentVolume', + # 'opensearch-volume': 'PersistentVolume', + # 'opensearch-backup-volume': 'PersistentVolume', +} + + +################################################################################################### +def _nanocore_to_millicore(n): + n = int(n[:-1]) + return str(round(n / 1000000, 2)) + 'm' + + +def _core_to_millicore(n): + n = int(n) + return str(n * 1000) + 'm' + + +def _percent_cpu(tcpu, ccpu): + tcpu = float(tcpu[:-1]) + ccpu = float(ccpu[:-1]) + return str(round((ccpu / tcpu) * 100, 2)) + '%' + + +def _to_gibibyte_or_mebibyte(n): + if n[-2:] == 'Ki': + n = float(n[:-2]) + if str(round(n * 0.000000953674316, 2)).split('.')[0] == '0': + return str(round(n * 0.0009765625, 2)) + 'Mi' + return str(round(n * 0.000000953674316, 2)) + 'Gi' + elif n[-2:] == 'Mi' or n[-2:] == 'Gi': + return n + + +def load_node_list(): + nodes = [] + + if ( + (kubeImported := KubernetesDynamic()) + and (stats_api := kubeImported.client.CustomObjectsApi()) + and (node_stats := stats_api.list_cluster_custom_object("metrics.k8s.io", "v1beta1", "nodes")) + ): + for stat in node_stats['items']: + nodes.append(stat['metadata']['name']) + + return nodes + + +def node_stats(node): + node_dict = {} + if kubeImported := KubernetesDynamic(): + k8s_api = kubeImported.client.CoreV1Api() + api_response = k8s_api.read_node_status(node) + stats_api = kubeImported.client.CustomObjectsApi() + node_stats = stats_api.list_cluster_custom_object("metrics.k8s.io", "v1beta1", "nodes/{}".format(node)) + field_selector = 'spec.nodeName=' + node + pods = k8s_api.list_pod_for_all_namespaces(watch=False, field_selector=field_selector) + node_dict[node] = [ + api_response.metadata.name, + ','.join(list(set([x.address for x in api_response.status.addresses if not x.type.endswith('IP')]))), + ','.join(list(set([x.address for x in api_response.status.addresses if x.type.endswith('IP')]))), + api_response.spec.provider_id.split('/')[-1], + api_response.metadata.labels['node.kubernetes.io/instance-type'], + _core_to_millicore(api_response.status.capacity['cpu']), + _nanocore_to_millicore(node_stats['usage']['cpu']), + _percent_cpu( + _core_to_millicore(api_response.status.capacity['cpu']), + _nanocore_to_millicore(node_stats['usage']['cpu']), + ), + _to_gibibyte_or_mebibyte(api_response.status.capacity['memory']), + _to_gibibyte_or_mebibyte(node_stats['usage']['memory']), + _to_gibibyte_or_mebibyte(api_response.status.capacity['ephemeral-storage']), + len(pods.items), + ] + + return node_dict + + +def pod_stats(node, namespace): + pod_dict = {} + if kubeImported := KubernetesDynamic(): + k8s_api = kubeImported.client.CoreV1Api() + stats_api = kubeImported.client.CustomObjectsApi() + field_selector = 'spec.nodeName=' + node + if namespace: + pods = k8s_api.list_namespaced_pod(namespace, watch=False, field_selector=field_selector) + else: + pods = k8s_api.list_pod_for_all_namespaces(watch=False, field_selector=field_selector) + for pod in pods.items: + pod_name = pod.metadata.name + namespace = pod.metadata.namespace + phase = pod.status.phase + pod_ip = pod.status.pod_ip + if not pod.metadata.owner_references: + pod_kind = None + else: + pod_kind = pod.metadata.owner_references[0].kind + worker_node = pod.spec.node_name + try: + cpu = 0 + mem = 0 + cpu_mem = stats_api.get_namespaced_custom_object( + "metrics.k8s.io", "v1beta1", namespace, "pods", pod_name + ) + for c in cpu_mem['containers']: + if c['usage']['cpu'] == '0': + pass + else: + cpu = +int(c['usage']['cpu'][:-1]) + cpu = str(cpu) + 'n' + cpu = _nanocore_to_millicore(cpu) + for m in cpu_mem['containers']: + mem = +int(m['usage']['memory'][:-2]) + mem = str(mem) + 'Ki' + mem = _to_gibibyte_or_mebibyte(mem) + except kubeImported.client.rest.ApiException as x: + if x.status == 404: + cpu = 'Not Found' + mem = 'Not Found' + container_name = [] + if not pod.status.container_statuses: + container_name = None + container_image = None + else: + for container in range(len(pod.status.container_statuses)): + container_name.append( + '{}:{}'.format( + pod.status.container_statuses[container].name, + pod.status.container_statuses[container].restart_count, + ) + ) + container_image = [] + for container in range(len(pod.status.container_statuses)): + container_image.append( + pod.status.container_statuses[container].image.replace(MALCOLM_IMAGE_PREFIX, '') + ) + pod_dict[pod_name] = [ + pod_name, + namespace, + phase, + pod_ip, + pod_kind, + worker_node, + cpu, + mem, + ','.join(container_name), + ','.join(container_image), + ] + if namespace: + del pod_dict[pod_name][1] + + return pod_dict + + +def get_node_hostnames_and_ips(mastersOnly=False): + result = {} + result['hostname'] = list() + result['external'] = list() + result['internal'] = list() + + if ( + (kubeImported := KubernetesDynamic()) + and (k8s_api := kubeImported.client.CoreV1Api()) + and ( + node_stats := kubeImported.client.CustomObjectsApi().list_cluster_custom_object( + "metrics.k8s.io", "v1beta1", "nodes" + ) + ) + ): + for stat in node_stats['items']: + if (not mastersOnly) or any( + [ + val2bool(deep_get(stat, ['metadata', 'labels', l], default=False)) + for l in ('node-role.kubernetes.io/control-plane', 'node-role.kubernetes.io/master') + ] + ): + api_response = k8s_api.read_node_status(stat['metadata']['name']) + result['hostname'].extend( + (list(set([x.address for x in api_response.status.addresses if not x.type.endswith('IP')]))) + ) + result['external'].extend( + (list(set([x.address for x in api_response.status.addresses if x.type.endswith('ExternalIP')]))) + ) + result['internal'].extend( + (list(set([x.address for x in api_response.status.addresses if x.type.endswith('InternalIP')]))) + ) + + result['hostname'] = list(set(result['hostname'])) + result['external'] = list(set(result['external'])) + result['internal'] = list(set(result['internal'])) + + return result + + +def GetPodNamesForService(service, namespace): + podsNames = [] + + if namespace and (kubeImported := KubernetesDynamic()) and (client := kubeImported.client.CoreV1Api()): + podsNames = [ + x.metadata.name + for x in client.list_namespaced_pod( + namespace, + watch=False, + label_selector=f'name={service}-deployment', + ).items + ] + + return podsNames + + +def PodExec( + service, + namespace, + command, + stdout=True, + stderr=True, + stdin=None, + timeout=60, + maxPodsToExec=1, +): + results = {} + + if namespace and (kubeImported := KubernetesDynamic()) and (client := kubeImported.client.CoreV1Api()): + podsNames = GetPodNamesForService(service, namespace) + + for podName in podsNames[:maxPodsToExec]: + retcode = -1 + output = [] + try: + while True: + resp = client.read_namespaced_pod( + name=podName, + namespace=namespace, + ) + if resp.status.phase != 'Pending': + break + + resp = kubeImported.stream.stream( + client.connect_get_namespaced_pod_exec, + podName, + namespace, + command=get_iterable(command), + stdout=stdout, + stderr=stderr, + stdin=stdin is not None, + tty=False, + _preload_content=False, + ) + rawOutput = StringIO('') + rawErrput = StringIO('') + stdinRemaining = list(get_iterable(stdin)) if (stdin is not None) else [] + counter = 0 + while resp.is_open() and (counter <= timeout): + resp.update(timeout=1) + counter += 1 + if stdout and resp.peek_stdout(): + rawOutput.write(resp.read_stdout()) + if stderr and resp.peek_stderr(): + rawErrput.write(resp.read_stderr()) + if stdinRemaining: + resp.write_stdin(stdinRemaining.pop(0) + "\n") + if stdout and resp.peek_stdout(): + rawOutput.write(resp.read_stdout()) + if stderr and resp.peek_stderr(): + rawErrput.write(resp.read_stderr()) + output.extend(rawOutput.getvalue().split('\n')) + output.extend(rawErrput.getvalue().split('\n')) + + err = None + if yamlImported := YAMLDynamic(): + err = yamlImported.safe_load(resp.read_channel(kubeImported.stream.ws_client.ERROR_CHANNEL)) + + if not err: + err = {} + err['status'] = 'Success' + + if deep_get(err, ['status'], None) == 'Success': + retcode = 0 + elif deep_get(err, ['reason'], None) == 'NonZeroExitCode': + retcodes = [ + int(deep_get(x, ['message'], 1)) + for x in deep_get(err, ['details', 'causes'], [{'reason': 'ExitCode', 'message': '1'}]) + if (deep_get(x, ['reason'], None) == 'ExitCode') + ] + retcode = retcodes[0] if len(retcodes) > 0 else 1 + else: + # can't parse, but it's a failure + retcode = 1 + + resp.close() + + except kubeImported.client.rest.ApiException as x: + if x.status != 404: + if retcode == 0: + retcode = 1 + output.extend(str(x)) + + results[podName] = {} + results[podName]['err'] = retcode + results[podName]['output'] = output + + return results + + +def PrintNodeStatus(): + node_list = load_node_list() + with ThreadPoolExecutor() as executor: + futures = [] + for node in node_list: + futures.append(executor.submit(node_stats, node)) + node_summary = {} + for future in as_completed(futures): + a = future.result() + node_summary.update(a) + + statusRows = [ + [ + 'Node Name', + 'Hostname', + 'IP', + 'Provider ID', + 'Instance Type', + 'Total CPU', + 'CPU Usage', + 'Percent CPU', + 'Total Memory', + 'Memory Usage', + 'Total Storage', + 'Current Pods', + ], + ] + for node in node_summary: + statusRows.append([str(x) for x in node_summary[node]]) + + tablify(statusRows) + + +def PrintPodStatus(namespace=None): + node_list = load_node_list() + with ThreadPoolExecutor() as executor: + futures = [] + for node in node_list: + futures.append(executor.submit(pod_stats, node, namespace)) + pod_summary = {} + for future in as_completed(futures): + a = future.result() + pod_summary.update(a) + + statusRows = [ + [ + 'Pod Name', + 'Namespace', + 'State', + 'Pod IP', + 'Pod Kind', + 'Worker Node', + 'CPU Usage', + 'Memory Usage', + 'Container Name:Restarts', + 'Container Image', + ], + ] + if namespace: + del statusRows[0][1] + + for pod in pod_summary: + statusRows.append([str(x) for x in pod_summary[pod]]) + + tablify(statusRows) + + +def DeleteNamespace(namespace, deleteRetPerVol=False): + results_dict = defaultdict(dict) + + if namespace: + if kubeImported := KubernetesDynamic(): + k8s_api = kubeImported.client.CoreV1Api() + + manualDeletePersistentVolumes = [] + if deleteRetPerVol: + # If indicated, manually delete PersistentVolumes with "Retain" reclaim policy + # - https://kubernetes.io/docs/concepts/storage/persistent-volumes/#retain + + # get a list of PersistentVolumes to delete after the delete_namespace + # 1. from list_namespaced_persistent_volume_claim + # 2. from list_persistent_volume with the "namespace=XXXXXXX" label + manualDeletePersistentVolumes = [ + x.spec.volume_name + for x in k8s_api.list_namespaced_persistent_volume_claim( + watch=False, + namespace=namespace, + ).items + ] + manualDeletePersistentVolumes.extend( + [ + x.metadata.name + for x in k8s_api.list_persistent_volume( + label_selector=f'namespace={namespace}', + ).items + if x.spec.persistent_volume_reclaim_policy == 'Retain' + ] + ) + + # filter (ensuring we only ended up with "Retain" PersistentVolumes) and dedupe + manualDeletePersistentVolumes = list( + chain( + *[ + [ + x.metadata.name + for x in k8s_api.list_persistent_volume( + field_selector=f'metadata.name={name}', + ).items + if x.spec.persistent_volume_reclaim_policy == 'Retain' + ] + for name in set(manualDeletePersistentVolumes) + ] + ) + ) + + # delete the namespace, which should delete the resources belonging to it + try: + results_dict[namespace]['delete_namespace'] = k8s_api.delete_namespace( + namespace, + propagation_policy='Foreground', + ) + except kubeImported.client.rest.ApiException as x: + if x.status != 404: + results_dict[namespace]['error'] = LoadStrIfJson(str(x)) + if not results_dict[namespace]['error']: + results_dict[namespace]['error'] = str(x) + + # If indicated, manually delete each PersistentVolume with "Retain" reclaim policy identified above + if manualDeletePersistentVolumes: + results_dict[namespace]['delete_persistent_volume'] = dict() + for name in manualDeletePersistentVolumes: + try: + results_dict[namespace]['delete_persistent_volume'][name] = k8s_api.delete_persistent_volume( + name=name + ) + except kubeImported.client.rest.ApiException as x: + if x.status != 404: + if 'error' not in results_dict[namespace]['delete_persistent_volume']: + results_dict[namespace]['delete_persistent_volume']['error'] = dict() + results_dict[namespace]['delete_persistent_volume']['error'][name] = LoadStrIfJson(str(x)) + if not results_dict[namespace]['delete_persistent_volume']['error'][name]: + results_dict[namespace]['delete_persistent_volume']['error'][name] = str(x) + + return results_dict + + +def StartMalcolm(namespace, malcolmPath, configPath): + if not namespace: + namespace = 'malcolm' + + results_dict = defaultdict(dict) + + if ( + os.path.isdir(malcolmPath) + and os.path.isdir(configPath) + and (kubeImported := KubernetesDynamic()) + and (dotenvImported := DotEnvDynamic()) + and (client := kubeImported.client.CoreV1Api()) + and (apiClient := kubeImported.client.ApiClient()) + ): + # create the namespace + try: + results_dict['create_namespace']['result'] = client.create_namespace( + kubeImported.client.V1Namespace(metadata=kubeImported.client.V1ObjectMeta(name=namespace)) + ).metadata + except kubeImported.client.rest.ApiException as x: + if x.status != 409: + results_dict['create_namespace']['error'] = LoadStrIfJson(str(x)) + if not results_dict['create_namespace']['error']: + results_dict['create_namespace']['error'] = str(x) + + # create configmaps from files + results_dict['create_namespaced_config_map']['result'] = dict() + results_dict['create_namespaced_secret']['result'] = dict() + for configMapName, configMapFiles in MALCOLM_CONFIGMAPS.items(): + for isSecret in (True, False): + resultsEntry = 'create_namespaced_secret' if isSecret else 'create_namespaced_config_map' + mapFiles = [x['path'] for x in configMapFiles if (x.get('secret', False) is isSecret)] + if mapFiles: + try: + dataMap = {} + binaryDataMap = {} + for fname in mapFiles: + if os.path.isfile(fname): + contents = file_contents( + fname, + binary_fallback=True, + ) + if hasattr(contents, 'decode'): + binaryDataMap[os.path.basename(fname)] = base64.b64encode(contents).decode('utf-8') + else: + dataMap[os.path.basename(fname)] = contents + elif os.path.isdir(fname): + for subfname in glob.iglob( + os.path.join(os.path.join(fname, '**'), '*'), recursive=True + ): + if os.path.isfile(subfname): + contents = file_contents( + subfname, + binary_fallback=True, + ) + if hasattr(contents, 'decode'): + binaryDataMap[os.path.basename(subfname)] = base64.b64encode( + contents + ).decode('utf-8') + else: + dataMap[os.path.basename(subfname)] = contents + metadata = kubeImported.client.V1ObjectMeta( + name=configMapName, + namespace=namespace, + ) + if isSecret: + results_dict[resultsEntry]['result'][configMapName] = client.create_namespaced_secret( + namespace=namespace, + body=kubeImported.client.V1Secret( + metadata=metadata, + string_data=dataMap if dataMap else {}, + data=binaryDataMap if binaryDataMap else {}, + ), + ).metadata + else: + results_dict[resultsEntry]['result'][configMapName] = client.create_namespaced_config_map( + namespace=namespace, + body=kubeImported.client.V1ConfigMap( + metadata=metadata, + data=dataMap if dataMap else {}, + binary_data=binaryDataMap if binaryDataMap else {}, + ), + ).metadata + except kubeImported.client.rest.ApiException as x: + if x.status != 409: + if 'error' not in results_dict[resultsEntry]: + results_dict[resultsEntry]['error'] = dict() + results_dict[resultsEntry]['error'][os.path.basename(configMapName)] = LoadStrIfJson(str(x)) + if not results_dict[resultsEntry]['error'][os.path.basename(configMapName)]: + results_dict[resultsEntry]['error'][os.path.basename(configMapName)] = str(x) + + # create configmaps (or secrets, given a K8S_SECRET key) from .env files + results_dict['create_namespaced_config_map_from_env_file']['result'] = dict() + results_dict['create_namespaced_secret_from_env_file']['result'] = dict() + for envFileName in glob.iglob(os.path.join(configPath, '*.env'), recursive=False): + if os.path.isfile(envFileName): + try: + values = dotenvImported.dotenv_values(envFileName) + isSecret = val2bool(values.pop(MALCOLM_DOTFILE_SECRET_KEY, False)) + metadata = kubeImported.client.V1ObjectMeta( + name=remove_suffix(os.path.basename(envFileName), '.env') + '-env' + ) + if isSecret: + resultsEntry = 'create_namespaced_secret_from_env_file' + results_dict[resultsEntry]['result'][metadata.name] = client.create_namespaced_secret( + namespace=namespace, + body=kubeImported.client.V1Secret( + metadata=metadata, + string_data=values if values else {}, + ), + ).metadata + else: + resultsEntry = 'create_namespaced_config_map_from_env_file' + results_dict[resultsEntry]['result'][metadata.name] = client.create_namespaced_config_map( + namespace=namespace, + body=kubeImported.client.V1ConfigMap( + metadata=metadata, + data=values if values else {}, + ), + ).metadata + + except kubeImported.client.rest.ApiException as x: + if x.status != 409: + if 'error' not in results_dict[resultsEntry]: + results_dict[resultsEntry]['error'] = dict() + results_dict[resultsEntry]['error'][os.path.basename(envFileName)] = LoadStrIfJson(str(x)) + if not results_dict[resultsEntry]['error'][os.path.basename(envFileName)]: + results_dict[resultsEntry]['error'][os.path.basename(envFileName)] = str(x) + + # apply manifests + results_dict['create_from_yaml']['result'] = dict() + yamlFiles = sorted( + list( + chain( + *[ + glob.iglob(os.path.join(os.path.join(malcolmPath, 'kubernetes'), ftype), recursive=False) + for ftype in ['*.yml', '*.yaml'] + ] + ) + ) + ) + for yamlName in yamlFiles: + try: + results_dict['create_from_yaml']['result'][ + os.path.basename(yamlName) + ] = kubeImported.utils.create_from_yaml( + apiClient, + yamlName, + namespace=namespace, + ) + except kubeImported.client.rest.ApiException as x: + if x.status != 409: + if 'error' not in results_dict['create_from_yaml']: + results_dict['create_from_yaml']['error'] = dict() + results_dict['create_from_yaml']['error'][os.path.basename(yamlName)] = LoadStrIfJson(str(x)) + if not results_dict['create_from_yaml']['error'][os.path.basename(yamlName)]: + results_dict['create_from_yaml']['error'][os.path.basename(yamlName)] = str(x) + except kubeImported.utils.FailToCreateError as fe: + if [exc for exc in fe.api_exceptions if exc.status != 409]: + if 'error' not in results_dict['create_from_yaml']: + results_dict['create_from_yaml']['error'] = dict() + results_dict['create_from_yaml']['error'][os.path.basename(yamlName)] = LoadStrIfJson(str(fe)) + if not results_dict['create_from_yaml']['error'][os.path.basename(yamlName)]: + results_dict['create_from_yaml']['error'][os.path.basename(yamlName)] = str(fe) + + return results_dict + + +def CheckPersistentStorageDefs(namespace, malcolmPath): + foundObjects = {k: False for (k, v) in REQUIRED_VOLUME_OBJECTS.items()} + + if yamlImported := YAMLDynamic(): + allYamlContents = [] + yamlFiles = sorted( + list( + chain( + *[ + glob.iglob(os.path.join(os.path.join(malcolmPath, 'kubernetes'), ftype), recursive=False) + for ftype in ['*.yml', '*.yaml'] + ] + ) + ) + ) + for yamlName in yamlFiles: + with open(yamlName, 'r') as cf: + allYamlContents.extend(list(yamlImported.safe_load_all(cf))) + for name, kind in REQUIRED_VOLUME_OBJECTS.items(): + for doc in allYamlContents: + if ( + (doc.get('kind', None) == kind) + and (deep_get(doc, ['metadata', 'namespace']) == namespace) + and (deep_get(doc, ['metadata', 'name']) == name) + ): + foundObjects[name] = True + + return all([v for k, v in foundObjects.items()]) diff --git a/scripts/malcolm_utils.py b/scripts/malcolm_utils.py new file mode 100644 index 000000000..c5d6fee49 --- /dev/null +++ b/scripts/malcolm_utils.py @@ -0,0 +1,639 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. + +import contextlib +import hashlib +import ipaddress +import json +import os +import re +import socket +import string +import subprocess +import sys +import tempfile +import time + + +from base64 import b64decode +from datetime import datetime +from multiprocessing import RawValue +from subprocess import PIPE, STDOUT, Popen, CalledProcessError +from tempfile import NamedTemporaryFile +from threading import Lock + +try: + from collections.abc import Iterable +except ImportError: + from collections import Iterable +from collections import defaultdict, namedtuple, OrderedDict + + +################################################################################################### +# urlencode each character of a string +def aggressive_url_encode(val): + return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in val) + + +################################################################################################### +# atomic integer class and context manager +class AtomicInt: + def __init__(self, value=0): + self.val = RawValue('i', value) + self.lock = Lock() + + def increment(self): + with self.lock: + self.val.value += 1 + return self.val.value + + def decrement(self): + with self.lock: + self.val.value -= 1 + return self.val.value + + def value(self): + with self.lock: + return self.val.value + + def __enter__(self): + return self.increment() + + def __exit__(self, type, value, traceback): + return self.decrement() + + +################################################################################################### +# if a string starts with 'base64:', decode it, otherwise return it as-is +def base64_decode_if_prefixed(s: str): + if s.startswith('base64:'): + return b64decode(s[7:]).decode('utf-8') + else: + return s + + +################################################################################################### +# test if a remote port is open +def check_socket(host, port): + with contextlib.closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as sock: + sock.settimeout(10) + if sock.connect_ex((host, port)) == 0: + return True + else: + return False + + +################################################################################################### +def contains_whitespace(s): + return True in [c in s for c in string.whitespace] + + +################################################################################################### +# an OrderedDict that locks itself and unlocks itself as a context manager +class ContextLockedOrderedDict(OrderedDict): + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.lock = Lock() + + def __enter__(self): + self.lock.acquire() + return self + + def __exit__(self, type, value, traceback): + self.lock.release() + return self + + +################################################################################################### +def custom_make_translation(text, translation): + regex = re.compile('|'.join(map(re.escape, translation))) + return regex.sub(lambda match: translation[match.group(0)], text) + + +################################################################################################### +# safe deep get for a dictionary +# +# Example: +# d = {'meta': {'status': 'OK', 'status_code': 200}} +# DeepGet(d, ['meta', 'status_code']) # => 200 +# DeepGet(d, ['garbage', 'status_code']) # => None +# DeepGet(d, ['meta', 'garbage'], default='-') # => '-' +def deep_get(d, keys, default=None): + k = get_iterable(keys) + if d is None: + return default + if not keys: + return d + return deep_get(d.get(k[0]), k[1:], default) + + +################################################################################################### +# convenience routine for setting-getting a value into a dictionary +def deep_set(d, keys, value, deleteIfNone=False): + k = get_iterable(keys) + for key in k[:-1]: + if (key not in d) or (not isinstance(d[key], dict)): + d[key] = dict() + d = d[key] + d[k[-1]] = value + if deleteIfNone and (value is None): + d.pop(k[-1], None) + + +################################################################################################### +# recursive dictionary key search +def dictsearch(d, target): + val = filter( + None, [[b] if a == target else dictsearch(b, target) if isinstance(b, dict) else None for a, b in d.items()] + ) + return [i for b in val for i in b] + + +################################################################################################### +# print to stderr +def eprint(*args, **kwargs): + filteredArgs = ( + {k: v for (k, v) in kwargs.items() if k not in ('timestamp', 'flush')} if isinstance(kwargs, dict) else {} + ) + if "timestamp" in kwargs and kwargs["timestamp"]: + print( + datetime.now().strftime("%Y-%m-%d %H:%M:%S"), + *args, + file=sys.stderr, + **filteredArgs, + ) + else: + print(*args, file=sys.stderr, **filteredArgs) + if "flush" in kwargs and kwargs["flush"]: + sys.stderr.flush() + + +################################################################################################### +def EscapeAnsi(line): + ansiEscape = re.compile(r'(?:\x1B[@-_]|[\x80-\x9F])[0-?]*[ -/]*[@-~]') + return ansiEscape.sub('', line) + + +################################################################################################### +def EscapeForCurl(s): + return s.translate( + str.maketrans( + { + '"': r'\"', + "\\": r"\\", + "\t": r"\t", + "\n": r"\n", + "\r": r"\r", + "\v": r"\v", + } + ) + ) + + +def UnescapeForCurl(s): + return custom_make_translation( + s, + { + r'\"': '"', + r"\t": "\t", + r"\n": "\n", + r"\r": "\r", + r"\v": "\v", + r"\\": "\\", + }, + ) + + +################################################################################################### +# EVP_BytesToKey +# +# reference: https://github.com/openssl/openssl/blob/6f0ac0e2f27d9240516edb9a23b7863e7ad02898/crypto/evp/evp_key.c#L74 +# https://gist.github.com/chrono-meter/d122cbefc6f6248a0af554995f072460 +EVP_KEY_SIZE = 32 +OPENSSL_ENC_MAGIC = b'Salted__' +PKCS5_SALT_LEN = 8 + + +def EVP_BytesToKey(key_length: int, iv_length: int, md, salt: bytes, data: bytes, count: int = 1) -> (bytes, bytes): + assert data + assert salt == b'' or len(salt) == PKCS5_SALT_LEN + + md_buf = b'' + key = b'' + iv = b'' + addmd = 0 + + while key_length > len(key) or iv_length > len(iv): + c = md() + if addmd: + c.update(md_buf) + addmd += 1 + c.update(data) + c.update(salt) + md_buf = c.digest() + for i in range(1, count): + md_buf = md(md_buf) + + md_buf2 = md_buf + + if key_length > len(key): + key, md_buf2 = key + md_buf2[: key_length - len(key)], md_buf2[key_length - len(key) :] + + if iv_length > len(iv): + iv = iv + md_buf2[: iv_length - len(iv)] + + return key, iv + + +################################################################################################### +# if the object is an iterable, return it, otherwise return a tuple with it as a single element. +# useful if you want to user either a scalar or an array in a loop, etc. +def get_iterable(x): + if isinstance(x, Iterable) and not isinstance(x, str): + return x + else: + return (x,) + + +################################################################################################### +# will it float? +def isfloat(value): + try: + float(value) + return True + except ValueError: + return False + + +################################################################################################### +# check a string or list to see if something is a valid IP address +def isipaddress(value): + result = True + try: + if isinstance(value, list) or isinstance(value, tuple) or isinstance(value, set): + for v in value: + ipaddress.ip_address(v) + else: + ipaddress.ip_address(value) + except Exception: + result = False + return result + + +################################################################################################### +# return the primary IP (the one with a default route) on the local box +def get_primary_ip(): + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + s.settimeout(0) + try: + # this IP doesn't have to be reachable + s.connect(('10.254.254.254', 1)) + ip = s.getsockname()[0] + except Exception: + ip = '127.0.0.1' + finally: + s.close() + return ip + + +################################################################################################### +# attempt to decode a string as JSON, returning the object if it decodes and None otherwise +def LoadStrIfJson(jsonStr): + try: + return json.loads(jsonStr) + except ValueError: + return None + + +################################################################################################### +# attempt to decode a file (given by handle) as JSON, returning the object if it decodes and +# None otherwise +def LoadFileIfJson(fileHandle): + try: + return json.load(fileHandle) + except ValueError: + return None + + +################################################################################################### +# parse a curl-formatted config file, with special handling for user:password and URL +# see https://everything.curl.dev/cmdline/configfile +# e.g.: +# +# given .opensearch.primary.curlrc containing: +# - +# user: "sikari:changethis" +# insecure +# - +# +# ParseCurlFile('.opensearch.primary.curlrc') returns: +# { +# 'user': 'sikari', +# 'password': 'changethis', +# 'insecure': '' +# } +def ParseCurlFile(curlCfgFileName): + result = defaultdict(lambda: None) + if os.path.isfile(curlCfgFileName): + itemRegEx = re.compile(r'^([^\s:=]+)((\s*[:=]?\s*)(.*))?$') + with open(curlCfgFileName, 'r') as f: + allLines = [x.strip().lstrip('-') for x in f.readlines() if not x.startswith('#')] + for line in allLines: + found = itemRegEx.match(line) + if found is not None: + key = found.group(1) + value = UnescapeForCurl(found.group(4).lstrip('"').rstrip('"')) + if (key == 'user') and (':' in value): + splitVal = value.split(':', 1) + result[key] = splitVal[0] + if len(splitVal) > 1: + result['password'] = splitVal[1] + else: + result[key] = value + + return result + + +################################################################################################### +# a context manager for entering a directory and leaving it upon leaving the context +@contextlib.contextmanager +def pushd(directory): + prevDir = os.getcwd() + os.chdir(directory) + try: + yield + finally: + os.chdir(prevDir) + + +################################################################################################### +# recursively remove empty subfolders +def RemoveEmptyFolders(path, removeRoot=True): + if not os.path.isdir(path): + return + + files = os.listdir(path) + if len(files): + for f in files: + fullpath = os.path.join(path, f) + if os.path.isdir(fullpath): + RemoveEmptyFolders(fullpath) + + files = os.listdir(path) + if len(files) == 0 and removeRoot: + try: + os.rmdir(path) + except Exception: + pass + + +################################################################################################### +# strip a prefix from the beginning of a string if needed +def remove_prefix(text, prefix): + if (len(prefix) > 0) and text.startswith(prefix): + return text[len(prefix) :] + else: + return text + + +################################################################################################### +# strip a suffix from the end of a string if needed +def remove_suffix(text, suffix): + if (len(suffix) > 0) and text.endswith(suffix): + return text[: len(text) - len(suffix)] + else: + return text + + +################################################################################################### +# return true if os.path.samefile, also False on exception +def same_file_or_dir(path1, path2): + try: + return os.path.samefile(path1, path2) + except Exception: + return False + + +################################################################################################### +# calculate a sha256 hash of a file +def sha256sum(filename): + h = hashlib.sha256() + b = bytearray(64 * 1024) + mv = memoryview(b) + with open(filename, 'rb', buffering=0) as f: + for n in iter(lambda: f.readinto(mv), 0): + h.update(mv[:n]) + return h.hexdigest() + + +################################################################################################### +# nice human-readable file sizes +def sizeof_fmt(num, suffix='B'): + for unit in ['', 'Ki', 'Mi', 'Gi', 'Ti', 'Pi', 'Ei', 'Zi']: + if abs(num) < 1024.0: + return f"{num:3.1f}{unit}{suffix}" + num /= 1024.0 + return f"{num:.1f}{'Yi'}{suffix}" + + +################################################################################################### +# convenient boolean argument parsing +def str2bool(v): + if isinstance(v, bool): + return v + elif isinstance(v, str): + if v.lower() in ("yes", "true", "t", "y", "1"): + return True + elif v.lower() in ("no", "false", "f", "n", "0"): + return False + else: + raise ValueError("Boolean value expected") + else: + raise ValueError("Boolean value expected") + + +################################################################################################### +# tablify +def tablify(matrix, file=sys.stdout): + colMaxLen = {i: max(map(len, inner)) for i, inner in enumerate(zip(*matrix))} + for row in matrix: + for col, data in enumerate(row): + print(f"{data:{colMaxLen[col]}}", end=" | ", file=file) + print(file=file) + + +################################################################################################### +# a context manager returning a temporary filename which is deleted upon leaving the context +@contextlib.contextmanager +def temporary_filename(suffix=None): + try: + f = tempfile.NamedTemporaryFile(suffix=suffix, delete=False) + tmp_name = f.name + f.close() + yield tmp_name + finally: + os.unlink(tmp_name) + + +################################################################################################### +# open a file and close it, updating its access time +def touch(filename): + open(filename, 'a').close() + os.utime(filename, None) + + +################################################################################################### +# read the contents of a file, first assuming text (with encoding), optionally falling back to binary +def file_contents(filename, encoding='utf-8', binary_fallback=False): + if os.path.isfile(filename): + decodeErr = False + + try: + with open(filename, 'r', encoding=encoding) as f: + return f.read() + except (UnicodeDecodeError, AttributeError): + if binary_fallback: + decodeErr = True + else: + raise + + if decodeErr and binary_fallback: + with open(filename, 'rb') as f: + return f.read() + + else: + return None + + +################################################################################################### +def val2bool(v): + try: + if v is None: + return False + elif isinstance(v, bool): + return v + elif isinstance(v, str): + if v.lower() in ("yes", "true", "t", "y"): + return True + elif v.lower() in ("no", "false", "f", "n"): + return False + else: + raise ValueError(f'Boolean value expected (got {v})') + else: + raise ValueError(f'Boolean value expected (got {v})') + except Exception: + # just pitch it back and let the caller worry about it + return v + + +################################################################################################### +# determine if a program/script exists and is executable in the system path +def which(cmd, debug=False): + result = any(os.access(os.path.join(path, cmd), os.X_OK) for path in os.environ["PATH"].split(os.pathsep)) + if debug: + eprint(f"which {cmd} returned {result}") + return result + + +################################################################################################### +# run command with arguments and return its exit code, stdout, and stderr +def check_output_input(*popenargs, **kwargs): + if 'stdout' in kwargs: + raise ValueError('stdout argument not allowed, it will be overridden') + + if 'stderr' in kwargs: + raise ValueError('stderr argument not allowed, it will be overridden') + + if 'input' in kwargs and kwargs['input']: + if 'stdin' in kwargs: + raise ValueError('stdin and input arguments may not both be used') + inputdata = kwargs['input'] + kwargs['stdin'] = PIPE + else: + inputdata = None + kwargs.pop('input', None) + + process = Popen(*popenargs, stdout=PIPE, stderr=PIPE, **kwargs) + try: + output, errput = process.communicate(inputdata) + except Exception: + process.kill() + process.wait() + raise + + retcode = process.poll() + + return retcode, output, errput + + +################################################################################################### +# run command with arguments and return its exit code and output +def run_process( + command, + stdout=True, + stderr=True, + stdin=None, + retry=0, + retrySleepSec=5, + cwd=None, + env=None, + debug=False, + logger=None, +): + retcode = -1 + output = [] + + try: + # run the command + retcode, cmdout, cmderr = check_output_input( + command, + input=stdin.encode() if stdin else None, + cwd=cwd, + env=env, + ) + + # split the output on newlines to return a list + if stderr and (len(cmderr) > 0): + output.extend(cmderr.decode(sys.getdefaultencoding()).split('\n')) + if stdout and (len(cmdout) > 0): + output.extend(cmdout.decode(sys.getdefaultencoding()).split('\n')) + + except (FileNotFoundError, OSError, IOError): + if stderr: + output.append("Command {} not found or unable to execute".format(command)) + + if debug: + dbgStr = "{}{} returned {}: {}".format( + command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output + ) + if logger is not None: + logger.debug(dbgStr) + else: + eprint(dbgStr) + + if (retcode != 0) and retry and (retry > 0): + # sleep then retry + time.sleep(retrySleepSec) + return run_process(command, stdout, stderr, stdin, retry - 1, retrySleepSec, cwd, env, debug, logger) + else: + return retcode, output + + +################################################################################################### +# execute a shell process returning its exit code and output +def run_subprocess(command, stdout=True, stderr=False, stdin=None, timeout=60): + retcode = -1 + output = [] + p = subprocess.run( + [command], input=stdin, universal_newlines=True, capture_output=True, shell=True, timeout=timeout + ) + if p: + retcode = p.returncode + if stderr and p.stderr: + output.extend(p.stderr.splitlines()) + if stdout and p.stdout: + output.extend(p.stdout.splitlines()) + + return retcode, output diff --git a/scripts/third-party-logs/fluent-bit-setup.ps1 b/scripts/third-party-logs/fluent-bit-setup.ps1 index 5916189dd..96bf41aef 100644 --- a/scripts/third-party-logs/fluent-bit-setup.ps1 +++ b/scripts/third-party-logs/fluent-bit-setup.ps1 @@ -8,8 +8,8 @@ # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. ############################################################################### -$fluent_bit_version = '2.0' -$fluent_bit_full_version = '2.0.10' +$fluent_bit_version = '2.1' +$fluent_bit_full_version = '2.1.2' ############################################################################### # select an item from a menu provided in an array diff --git a/scripts/zeek_script_to_malcolm_boilerplate.py b/scripts/zeek_script_to_malcolm_boilerplate.py index d1a9289a0..96cd2939a 100755 --- a/scripts/zeek_script_to_malcolm_boilerplate.py +++ b/scripts/zeek_script_to_malcolm_boilerplate.py @@ -72,6 +72,7 @@ # Used as a predicate to filter nodes during tree traversal. # see https://github.com/zeek/zeekscript/blob/4a3512dd114e2709d6738016176c27a65f3f1492/zeekscript/node.py#L157 + # This Node is a "create_stream" expression, e.g.: # Log::create_stream(ICSNPP_OPCUA_Binary::LOG, [$columns=OPCUA_Binary::Info, $path="opcua-binary"]) def IsCreateStreamExprNode(Node): diff --git a/sensor-iso/arkime/Dockerfile b/sensor-iso/arkime/Dockerfile index 32b8f1bb8..eaec223e1 100644 --- a/sensor-iso/arkime/Dockerfile +++ b/sensor-iso/arkime/Dockerfile @@ -6,7 +6,7 @@ LABEL maintainer="malcolm@inl.gov" ENV DEBIAN_FRONTEND noninteractive -ENV ARKIME_VERSION "4.2.0" +ENV ARKIME_VERSION "4.3.0" ENV ARKIME_DIR "/opt/arkime" RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.list && \ diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index 151fe59f0..3438477eb 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -115,6 +115,7 @@ if [ -d "$WORKDIR" ]; then rsync -a "$SCRIPT_PATH/shared/bin/" ./config/includes.chroot/usr/local/bin/ mkdir -p ./config/includes.chroot/opt/zeek/bin/ mv ./config/includes.chroot/usr/local/bin/zeekdeploy.sh ./config/includes.chroot/opt/zeek/bin/ + ln -s -r ./config/includes.chroot/usr/local/bin/malcolm_utils.py ./config/includes.chroot/opt/zeek/bin/ chown -R root:root ./config/includes.chroot/usr/local/bin/ ./config/includes.chroot/opt/zeek/bin/ # write out some version stuff specific to this installation version diff --git a/sensor-iso/build_via_vagrant.sh b/sensor-iso/build_via_vagrant.sh index 3ea149d73..73aa5b738 100755 --- a/sensor-iso/build_via_vagrant.sh +++ b/sensor-iso/build_via_vagrant.sh @@ -86,6 +86,7 @@ cp -r "$SCRIPT_PATH"/../shared \ "$SCRIPT_PATH"/../Gemfile \ "$SCRIPT_PATH"/../README.md "$SCRIPT_PATH"/ cp "$SCRIPT_PATH"/../scripts/documentation_build.sh "$SCRIPT_PATH"/docs/ +cp "$SCRIPT_PATH"/../scripts/malcolm_utils.py "$SCRIPT_PATH"/shared/bin/ YML_IMAGE_VERSION="$(grep -P "^\s+image:\s*malcolm" "$SCRIPT_PATH"/../docker-compose-standalone.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" [[ -n $YML_IMAGE_VERSION ]] && echo "$YML_IMAGE_VERSION" > "$SCRIPT_PATH"/shared/version.txt diff --git a/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot b/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot index f7f1e95a3..952ce3fc4 100755 --- a/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot @@ -11,5 +11,8 @@ pip3 install --no-compile --no-cache-dir --force-reinstall --upgrade \ dateparser \ debinterface \ pymisp \ + python-dotenv \ + ruamel.yaml \ stix2 \ - taxii2-client + taxii2-client \ + watchdog diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index 2c2e182d4..d9fdc9deb 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -13,7 +13,7 @@ GITHUB_API_CURL_ARGS+=( -H ) GITHUB_API_CURL_ARGS+=( "Accept: application/vnd.github.v3+json" ) [[ -n "$GITHUB_TOKEN" ]] && GITHUB_API_CURL_ARGS+=( -H ) && GITHUB_API_CURL_ARGS+=( "Authorization: token $GITHUB_TOKEN" ) -ZEEK_VER=5.2.0-0 +ZEEK_VER=5.2.1-0 ZEEK_LTS= ZEEK_DIR="/opt/zeek" export PATH="${ZEEK_DIR}"/bin:$PATH diff --git a/sensor-iso/config/includes.chroot/etc/skel/.tmux.conf b/sensor-iso/config/includes.chroot/etc/skel/.tmux.conf index 0ba442291..30e2eebb7 100644 --- a/sensor-iso/config/includes.chroot/etc/skel/.tmux.conf +++ b/sensor-iso/config/includes.chroot/etc/skel/.tmux.conf @@ -41,3 +41,5 @@ bind r source-file ~/.tmux.conf\; display "Reloaded conf." # Use vim keybindings in copy mode setw -g mode-keys vi +# don't increase the user count for every pane +set -g default-command "${SHELL}" diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index 917c55401..67b969077 100644 --- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -9,6 +9,8 @@ global disable_log_passwords = (getenv("ZEEK_DISABLE_LOG_PASSWORDS") == "") ? F global disable_ssl_validate_certs = (getenv("ZEEK_DISABLE_SSL_VALIDATE_CERTS") == "") ? F : T; global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == "") ? F : T; global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T; +global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ? F : T; +global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T; global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T; @@ -62,7 +64,6 @@ redef ignore_checksums = T; @load policy/protocols/conn/vlan-logging @load policy/protocols/conn/mac-logging @load policy/protocols/modbus/known-masters-slaves -@load policy/protocols/mqtt @load ./login.zeek @if (!disable_best_guess_ics) @@ -115,6 +116,31 @@ event zeek_init() &priority=-5 { if (disable_spicy_wireguard) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD); } + + # register additional ports for Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_... + if (synchrophasor_ports_str != "") { + local synchrophasor_ports = split_string(synchrophasor_ports_str, /,/); + if (|synchrophasor_ports| > 0) { + local synch_ports_tcp: set[port] = {}; + local synch_ports_udp: set[port] = {}; + for (synch_port_idx in synchrophasor_ports) { + local synch_port = to_port(synchrophasor_ports[synch_port_idx]); + local synch_prot = get_port_transport_proto(synch_port); + if (synch_prot == tcp) { + add synch_ports_tcp[synch_port]; + } else if (synch_prot == udp) { + add synch_ports_udp[synch_port]; + } + } + if (|synch_ports_tcp| > 0) { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP, synch_ports_tcp); + } + if (|synch_ports_udp| > 0) { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP, synch_ports_udp); + } + } + } + } @if (!disable_log_passwords) @@ -127,3 +153,8 @@ event zeek_init() &priority=-5 { redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; +@if (synchrophasor_detailed) + redef SYNCHROPHASOR::log_data_frame = T; + redef SYNCHROPHASOR::log_data_detail = T; + redef SYNCHROPHASOR::log_cfg_detail = T; +@endif diff --git a/sensor-iso/config/package-lists/python.list.chroot b/sensor-iso/config/package-lists/python.list.chroot index 385f990d6..898f3c9dc 100644 --- a/sensor-iso/config/package-lists/python.list.chroot +++ b/sensor-iso/config/package-lists/python.list.chroot @@ -9,9 +9,7 @@ python3-netifaces python3-pip python3-psutil python3-pycryptodome -python3-pyinotify python3-requests -python3-ruamel.yaml python3-semantic-version python3-setuptools python3-tz diff --git a/sensor-iso/interface/requirements.txt b/sensor-iso/interface/requirements.txt index ab47c4010..fd639a82d 100644 --- a/sensor-iso/interface/requirements.txt +++ b/sensor-iso/interface/requirements.txt @@ -9,7 +9,7 @@ itsdangerous==2.1.2 Jinja2==3.1.2 MarkupSafe==2.1.2 psutil==5.9.4 -python-dotenv==0.21.1 +python-dotenv==1.0.0 requests==2.28.2 six==1.16.0 urllib3==1.26.14 diff --git a/sensor-iso/interface/sensor_ctl/arkime/config.ini b/sensor-iso/interface/sensor_ctl/arkime/config.ini index 63337b703..3214dbec3 100644 --- a/sensor-iso/interface/sensor_ctl/arkime/config.ini +++ b/sensor-iso/interface/sensor_ctl/arkime/config.ini @@ -29,7 +29,7 @@ parseSMB=true parseQSValue=false supportSha256=false maxReqBody=64 -config.reqBodyOnlyUtf8=true +reqBodyOnlyUtf8=true smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP: parsersDir=/dummy/parsers pluginsDir=/dummy/plugins diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf index e5b81c7b5..f185799a0 100644 --- a/sensor-iso/interface/sensor_ctl/control_vars.conf +++ b/sensor-iso/interface/sensor_ctl/control_vars.conf @@ -65,6 +65,7 @@ export ZEEK_DISABLE_SPICY_STUN= export ZEEK_DISABLE_SPICY_TAILSCALE= export ZEEK_DISABLE_SPICY_TFTP= export ZEEK_DISABLE_SPICY_WIREGUARD= +export ZEEK_SYNCHROPHASOR_DETAILED= # Suricata export SURICATA_CUSTOM_RULES_ONLY=false diff --git a/sensor-iso/interface/sensor_interface/routes.py b/sensor-iso/interface/sensor_interface/routes.py index 3b7bdecd6..2f4c3d66e 100644 --- a/sensor-iso/interface/sensor_interface/routes.py +++ b/sensor-iso/interface/sensor_interface/routes.py @@ -1,6 +1,10 @@ # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. -import psutil, time, json, logging, os +import psutil +import time +import json +import logging +import os from .sysquery import sys_service as sys_s from flask import render_template, send_from_directory from flask import Flask @@ -62,7 +66,6 @@ def activate_service(script): @app.route('/update', methods=['GET']) def update_stats(): - req_time = int(time.time()) disk_write_data_start = psutil.disk_io_counters(perdisk=False) diff --git a/sensor-iso/interface/sensor_interface/sysquery/__init__.py b/sensor-iso/interface/sensor_interface/sysquery/__init__.py index 8b1378917..e69de29bb 100644 --- a/sensor-iso/interface/sensor_interface/sysquery/__init__.py +++ b/sensor-iso/interface/sensor_interface/sysquery/__init__.py @@ -1 +0,0 @@ - diff --git a/sensor-iso/interface/sensor_interface/sysquery/sys_service.py b/sensor-iso/interface/sensor_interface/sysquery/sys_service.py index c030e57be..a1a432bf2 100644 --- a/sensor-iso/interface/sensor_interface/sysquery/sys_service.py +++ b/sensor-iso/interface/sensor_interface/sysquery/sys_service.py @@ -1,6 +1,7 @@ # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. -import subprocess, json +import subprocess +import json import os # traverse back up the path of the project directory to the scripts location @@ -8,7 +9,6 @@ def service(command): - # TODO implement better error handling command, arguement = command.split(" ") diff --git a/shared/bin/agg-init.sh b/shared/bin/agg-init.sh index e3127b3c9..1fea56360 100755 --- a/shared/bin/agg-init.sh +++ b/shared/bin/agg-init.sh @@ -25,6 +25,7 @@ if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then /usr/bin/env python3 "$MAIN_USER_HOME"/Malcolm/scripts/install.py --configure --defaults --restart-malcolm fi rm -f "$MAIN_USER_HOME"/Malcolm/firstrun "$MAIN_USER_HOME"/Malcolm/.configured + chown -R 1000:1000 "$MAIN_USER_HOME"/Malcolm fi # make sure read permission is set correctly for the nginx worker processes diff --git a/shared/bin/configure-capture.py b/shared/bin/configure-capture.py index 6e3ad7b51..e43e3bead 100755 --- a/shared/bin/configure-capture.py +++ b/shared/bin/configure-capture.py @@ -14,10 +14,19 @@ from collections import defaultdict from dialog import Dialog -from zeek_carve_utils import * -from sensorcommon import * from subprocess import PIPE, STDOUT, Popen, CalledProcessError +from zeek_carve_utils import PRESERVE_NONE, PRESERVE_QUARANTINED, PRESERVE_ALL +from sensorcommon import ( + CancelledError, + clearquit, + get_available_adapters, + identify_adapter, + NIC_BLINK_SECONDS, + test_connection, +) +from malcolm_utils import run_subprocess, remove_prefix, aggressive_url_encode, isipaddress, check_socket + class Constants: CONFIG_CAP = 'Capture Configuration' @@ -242,7 +251,7 @@ def input_opensearch_connection_info( break # HTTP/HTTPS authentication - code, http_username = d.inputbox(f"OpenSearch HTTP/HTTPS server username", init=default_username) + code, http_username = d.inputbox("OpenSearch HTTP/HTTPS server username", init=default_username) if (code == Dialog.CANCEL) or (code == Dialog.ESC): raise CancelledError return_dict[Constants.BEAT_HTTP_USERNAME] = http_username.strip() @@ -250,13 +259,13 @@ def input_opensearch_connection_info( # make them enter the password twice while True: code, http_password = d.passwordbox( - f"OpenSearch HTTP/HTTPS server password", insecure=True, init=default_password + "OpenSearch HTTP/HTTPS server password", insecure=True, init=default_password ) if (code == Dialog.CANCEL) or (code == Dialog.ESC): raise CancelledError code, http_password2 = d.passwordbox( - f"OpenSearch HTTP/HTTPS server password (again)", + "OpenSearch HTTP/HTTPS server password (again)", insecure=True, init=default_password if (http_password == default_password) else "", ) @@ -313,7 +322,7 @@ def main(): try: with open(Constants.DEV_IDENTIFIER_FILE, 'r') as f: installation = f.readline().strip() - except: + except Exception: pass if installation not in Constants.DEV_VALID: print(Constants.MSG_ERR_DEV_INVALID) @@ -379,7 +388,7 @@ def main(): raise CancelledError if mode == Constants.MSG_CONFIG_MODE_AUTOSTART: - ##### sensor autostart services configuration ####################################################################################### + # sensor autostart services configuration ############################################################################################# while True: # select processes for autostart (except for the file scan ones, handle those with the file scanning stuff) @@ -432,7 +441,7 @@ def main(): code = d.msgbox(text=Constants.MSG_CONFIG_AUTOSTART_SUCCESS) elif mode == Constants.MSG_CONFIG_MODE_CAPTURE: - ##### sensor capture configuration ################################################################################################## + # sensor capture configuration ######################################################################################################## # determine a list of available (non-virtual) adapters available_adapters = get_available_adapters() @@ -485,7 +494,7 @@ def main(): capture_filter = capture_filter.strip() if len(capture_filter) > 0: # test out the capture filter to see if there's a syntax error - ecode, filter_test_results = run_process( + ecode, filter_test_results = run_subprocess( f'tcpdump -i {selected_ifaces[0]} -d "{capture_filter}"', stdout=False, stderr=True ) else: @@ -792,7 +801,7 @@ def main(): ) elif mode == Constants.MSG_CONFIG_MODE_FORWARD: - ##### sensor forwarding (beats) configuration ######################################################################### + # sensor forwarding (beats) configuration ############################################################################# # only display MSG_CONFIG_TXRX if we have appropriate executable and script txRxScript = '/opt/sensor/sensor_ctl/tx-rx-secure.sh' @@ -951,13 +960,13 @@ def main(): os.chdir(Constants.BEAT_DIR[fwd_mode]) # check to see if a keystore has already been created for the forwarder - ecode, list_results = run_process(f"{Constants.BEAT_CMD[fwd_mode]} keystore list") + ecode, list_results = run_subprocess(f"{Constants.BEAT_CMD[fwd_mode]} keystore list") if (ecode == 0) and (len(list_results) > 0): # it has, do they wish to overwrite it? if d.yesno(Constants.MSG_OVERWRITE_CONFIG.format(fwd_mode)) != Dialog.OK: raise CancelledError - ecode, create_results = run_process( + ecode, create_results = run_subprocess( f"{Constants.BEAT_CMD[fwd_mode]} keystore create --force", stderr=True ) if ecode != 0: @@ -1174,7 +1183,7 @@ def main(): # it's go time, call keystore add for each item for k, v in sorted(forwarder_dict.items()): - ecode, add_results = run_process( + ecode, add_results = run_subprocess( f"{Constants.BEAT_CMD[fwd_mode]} keystore add {k} --stdin --force", stdin=v, stderr=True ) if ecode != 0: @@ -1182,7 +1191,7 @@ def main(): raise Exception(Constants.MSG_ERROR_KEYSTORE.format(fwd_mode, "\n".join(add_results))) # get a final list of parameters that were set to show the user that stuff happened - ecode, list_results = run_process(f"{Constants.BEAT_CMD[fwd_mode]} keystore list") + ecode, list_results = run_subprocess(f"{Constants.BEAT_CMD[fwd_mode]} keystore list") if ecode == 0: code = d.msgbox( text=Constants.MSG_CONFIG_FORWARDING_SUCCESS.format(fwd_mode, "\n".join(list_results)) @@ -1252,7 +1261,7 @@ def main(): # we're here without a valid forwarding type selection?!? raise Exception(Constants.MSG_MESSAGE_ERROR.format(Constants.MSG_INVALID_FORWARDING_TYPE)) - except CancelledError as c: + except CancelledError: # d.msgbox(text=Constants.MSG_CANCEL_ERROR) # just start over continue diff --git a/shared/bin/configure-interfaces.py b/shared/bin/configure-interfaces.py index 7308f36e5..2e71806c7 100755 --- a/shared/bin/configure-interfaces.py +++ b/shared/bin/configure-interfaces.py @@ -13,7 +13,22 @@ import re from dialog import Dialog from debinterface.interfaces import Interfaces -from sensorcommon import * + +from sensorcommon import ( + CancelledError, + clearquit, + get_available_adapters, + identify_adapter, + NIC_BLINK_SECONDS, +) +from malcolm_utils import ( + eprint, + run_subprocess, + remove_prefix, + aggressive_url_encode, + isipaddress, + check_socket, +) class Constants: @@ -79,6 +94,7 @@ class Constants: d = Dialog(dialog='dialog', autowidgetsize=True) d.set_background_title(Constants.MSG_BACKGROUND_TITLE) + ################################################################################################### # if the given interface is up, "ifdown" it def network_stop(selected_iface): @@ -91,7 +107,7 @@ def network_stop(selected_iface): else: command = f"cat /sys/class/net/{selected_iface}/operstate" - return run_process(command, stderr=True) + return run_subprocess(command, stderr=True) ################################################################################################### @@ -106,13 +122,12 @@ def network_start(selected_iface): else: command = f"cat /sys/class/net/{selected_iface}/operstate" - return run_process(command, stderr=True) + return run_subprocess(command, stderr=True) ################################################################################################### # for a given interface, bring it down, write its new settings, and bring it back up def write_and_display_results(interfaces, selected_iface): - ecode, stop_results = network_stop(selected_iface) stop_results = list( filter( @@ -147,7 +162,7 @@ def write_and_display_results(interfaces, selected_iface): else: start_text = Constants.MSG_NETWORK_START_ERROR - code = d.msgbox(stop_text + "\n".join(stop_results) + "\n\n. . .\n\n" + start_text + "\n".join(start_results)) + d.msgbox(stop_text + "\n".join(stop_results) + "\n\n. . .\n\n" + start_text + "\n".join(start_results)) ################################################################################################### @@ -166,7 +181,7 @@ def main(): try: with open(Constants.DEV_IDENTIFIER_FILE, 'r') as f: installation = f.readline().strip() - except: + except Exception: pass if installation == Constants.DEV_SENSOR: modeChoices = [Constants.MSG_CONFIG_INTERFACE, Constants.MSG_CONFIG_HOST, Constants.MSG_CONFIG_TIME_SYNC] @@ -182,7 +197,6 @@ def main(): while not quit_flag: os.chdir(start_dir) try: - # welcome code = d.yesno(Constants.MSG_WELCOME_TITLE, yes_label="Continue", no_label="Quit") if code == Dialog.CANCEL or code == Dialog.ESC: @@ -196,15 +210,15 @@ def main(): raise CancelledError if config_mode == Constants.MSG_CONFIG_HOST[0]: - ##### system hostname configuration ################################################################################################## + # system hostname configuration ###################################################################################################### # get current host/identification information - ecode, host_get_output = run_process('hostnamectl', stderr=True) + ecode, host_get_output = run_subprocess('hostnamectl', stderr=True) if ecode == 0: emsg_str = '\n'.join(host_get_output) code = d.msgbox(text=f"{Constants.MSG_SET_HOSTNAME_CURRENT}{emsg_str}") - code, hostname_get_output = run_process('hostname', stderr=False) + code, hostname_get_output = run_subprocess('hostname', stderr=False) if (code == 0) and (len(hostname_get_output) > 0): old_hostname = hostname_get_output[0].strip() else: @@ -216,16 +230,16 @@ def main(): if (code == Dialog.CANCEL) or (code == Dialog.ESC): raise CancelledError elif len(new_hostname) <= 0: - code = d.msgbox(text=Constants.MSG_MESSAGE_ERROR.format(f'Invalid hostname specified')) + code = d.msgbox(text=Constants.MSG_MESSAGE_ERROR.format('Invalid hostname specified')) else: break # set new hostname - ecode, host_set_output = run_process( + ecode, host_set_output = run_subprocess( f'hostnamectl set-hostname {new_hostname.strip()}', stderr=True ) if ecode == 0: - ecode, host_get_output = run_process('hostnamectl', stderr=True) + ecode, host_get_output = run_subprocess('hostnamectl', stderr=True) emsg_str = '\n'.join(host_get_output) code = d.msgbox(text=f"{Constants.MSG_SET_HOSTNAME_SUCCESS}{emsg_str}") @@ -253,7 +267,7 @@ def main(): ) elif config_mode == Constants.MSG_CONFIG_TIME_SYNC[0]: - ##### time synchronization configuration############################################################################################## + # time synchronization configuration################################################################################################## time_sync_mode = '' code = Dialog.OK while (len(time_sync_mode) == 0) and (code == Dialog.OK): @@ -296,7 +310,7 @@ def main(): break # test with htpdate to see if we can connect - ecode, test_output = run_process( + ecode, test_output = run_subprocess( f"{Constants.TIME_SYNC_HTPDATE_TEST_COMMAND} {http_host}:{http_port}" ) if ecode == 0: @@ -314,14 +328,14 @@ def main(): # get polling interval code, htpdate_interval = d.rangebox( - f"Time synchronization polling interval (minutes)", width=60, min=1, max=60, init=15 + "Time synchronization polling interval (minutes)", width=60, min=1, max=60, init=15 ) if code == Dialog.CANCEL or code == Dialog.ESC: raise CancelledError # stop and disable the ntp process - run_process('/bin/systemctl stop ntp') - run_process('/bin/systemctl disable ntp') + run_subprocess('/bin/systemctl stop ntp') + run_subprocess('/bin/systemctl disable ntp') # write out htpdate file for cron with open(Constants.TIME_SYNC_HTPDATE_CRON, 'w+') as f: @@ -374,9 +388,9 @@ def main(): print(line) # enable and start the ntp process - run_process('/bin/systemctl stop ntp') - run_process('/bin/systemctl enable ntp') - ecode, start_output = run_process('/bin/systemctl start ntp', stderr=True) + run_subprocess('/bin/systemctl stop ntp') + run_subprocess('/bin/systemctl enable ntp') + ecode, start_output = run_subprocess('/bin/systemctl start ntp', stderr=True) if ecode == 0: code = d.msgbox(text=f"{Constants.MSG_TIME_SYNC_CONFIG_SUCCESS}") else: @@ -386,7 +400,7 @@ def main(): raise CancelledError else: - ##### interface IP address configuration ############################################################################################# + # interface IP address configuration ################################################################################################# # read configuration from /etc/network/interfaces.d/sensor (or the default /etc/network/interfaces if for some reason it doesn't exist) interfaces_path = ( @@ -552,7 +566,7 @@ def main(): write_and_display_results(interfaces, selected_iface) break - except CancelledError as c: + except CancelledError: # d.msgbox(text=Constants.MSG_CANCEL_ERROR) # just start over continue diff --git a/shared/bin/docker-uid-gid-setup.sh b/shared/bin/docker-uid-gid-setup.sh index be3cfe384..dbca5a505 100755 --- a/shared/bin/docker-uid-gid-setup.sh +++ b/shared/bin/docker-uid-gid-setup.sh @@ -1,5 +1,16 @@ #!/bin/bash +# attempt to set ulimits (as root) +if [[ "${PUSER_RLIMIT_UNLOCK:-false}" == "true" ]] && command -v ulimit >/dev/null 2>&1; then + ulimit -c 0 >/dev/null 2>&1 + ulimit -l unlimited >/dev/null 2>&1 + ulimit -m unlimited >/dev/null 2>&1 + ulimit -v unlimited >/dev/null 2>&1 + ulimit -x unlimited >/dev/null 2>&1 + ulimit -n 65535 >/dev/null 2>&1 + ulimit -u 262144 >/dev/null 2>&1 +fi + set -e unset ENTRYPOINT_CMD @@ -16,47 +27,51 @@ groupmod --non-unique --gid ${PGID:-${DEFAULT_GID}} ${PGROUP} # copied is made read-only, doesn't play nicely if you're using it for configuration # files which exist in a directory which may need to do read-write operations on other files. # This works for nested subdirectories, but don't nest CONFIG_MAP_DIR directories -# inside of other CONFIG_MAP_DIR directories. +# inside of other CONFIG_MAP_DIR directories. More than one CONFIG_MAP_DIR can be specified +# in this variable, separated by ';' (for example, "CONFIG_MAP_DIR=configmap;secretmap"). # # TODO: else with cpio, tar, cp? +CONFIG_MAP_FIND_PRUNE_ARGS=() if [[ -n ${CONFIG_MAP_DIR} ]] && command -v rsync >/dev/null 2>&1; then - find / -type d -name "${CONFIG_MAP_DIR}" -print -o -path /sys -prune -o -path /proc -prune 2>/dev/null | \ - awk '{print gsub("/","/"), $0}' | sort -n | cut -d' ' -f2- | \ - while read CMDIR; do - - rsync --recursive --mkpath --copy-links \ - "--usermap=*:${PUID:-${DEFAULT_UID}}" \ - "--groupmap=*:${PGID:-${DEFAULT_GID}}" \ - --exclude='..*' --exclude="${CONFIG_MAP_DIR}"/ --exclude=.dockerignore --exclude=.gitignore \ - "${CMDIR}"/ "${CMDIR}"/../ - - # TODO - regarding ownership and permissions: - # - # I *think* what we want to do here is change the ownership of - # these configmap-copied files to be owned by the user specified by PUID - # (falling back to DEFAULT_UID) and PGID (falling back to DEFAULT_GID). - # The other option would be to preserve the ownership of the source - # fine with --owner --group, but I don't think that's what we want, as - # if we were doing this with a docker bind mount they'd likely have the - # permissions of the original user on the host, anyway, which is - # supposed to match up to PUID/PGID. - # - # For permissions, rsync says that "existing files retain their existing permissions" - # and "new files get their normal permission bits set to the source file's - # permissions masked with the receiving directory's default permissions" - # (either via umask or ACL) which I think is what we want. The other alternative - # would be to do something like --chmod=D2755,F644 - - done # loop over found CONFIG_MAP_DIR directories - CONFIG_MAP_FIND_PRUNE_ARGS=(-o -name "${CONFIG_MAP_DIR}" -prune) + while read MAP_DIR; do -else - CONFIG_MAP_FIND_PRUNE_ARGS=() + find / -type d -name "${MAP_DIR}" -print -o -path /sys -prune -o -path /proc -prune 2>/dev/null | \ + awk '{print gsub("/","/"), $0}' | sort -n | cut -d' ' -f2- | \ + while read CMDIR; do + + rsync --recursive --copy-links \ + "--usermap=*:${PUID:-${DEFAULT_UID}}" \ + "--groupmap=*:${PGID:-${DEFAULT_GID}}" \ + --exclude='..*' --exclude="${MAP_DIR}"/ --exclude=.dockerignore --exclude=.gitignore \ + "${CMDIR}"/ "${CMDIR}"/../ + + # TODO - regarding ownership and permissions: + # + # I *think* what we want to do here is change the ownership of + # these configmap-copied files to be owned by the user specified by PUID + # (falling back to DEFAULT_UID) and PGID (falling back to DEFAULT_GID). + # The other option would be to preserve the ownership of the source + # fine with --owner --group, but I don't think that's what we want, as + # if we were doing this with a docker bind mount they'd likely have the + # permissions of the original user on the host, anyway, which is + # supposed to match up to PUID/PGID. + # + # For permissions, rsync says that "existing files retain their existing permissions" + # and "new files get their normal permission bits set to the source file's + # permissions masked with the receiving directory's default permissions" + # (either via umask or ACL) which I think is what we want. The other alternative + # would be to do something like --chmod=D2755,F644 + + done # loop over found MAP_DIR directories + CONFIG_MAP_FIND_PRUNE_ARGS+=(-o -name "${MAP_DIR}" -prune) + + done < <(echo "${CONFIG_MAP_DIR}" | tr ';' '\n') # loop over ';' separated CONFIG_MAP_DIR values fi # check for CONFIG_MAP_DIR and rsync -# change user/group ownership of any files/directories belonging to the original IDs set +e + +# change user/group ownership of any files/directories belonging to the original IDs if [[ -n ${PUID} ]] && [[ "${PUID}" != "${DEFAULT_UID}" ]]; then find / -path /sys -prune -o -path /proc -prune -o -user ${DEFAULT_UID} -exec chown -f ${PUID} "{}" \; 2>/dev/null fi @@ -126,7 +141,6 @@ if [[ -n ${PUSER_CA_TRUST} ]] && command -v openssl >/dev/null 2>&1; then command -v update-ca-certificates >/dev/null 2>&1 && update-ca-certificates >/dev/null 2>&1 command -v update-ca-trust >/dev/null 2>&1 && update-ca-trust extract >/dev/null 2>&1 fi -set -e # determine if we are now dropping privileges to exec ENTRYPOINT_CMD if [[ "$PUSER_PRIV_DROP" == "true" ]]; then @@ -137,14 +151,23 @@ else USER_HOME="${HOME:-/root}" fi -# execute the entrypoint command specified +# attempt to set ulimits (as user) and execute the entrypoint command specified su -s /bin/bash -p ${EXEC_USER} << EOF export USER="${EXEC_USER}" export HOME="${USER_HOME}" whoami id -if [ ! -z "${ENTRYPOINT_CMD}" ]; then - if [ -z "${ENTRYPOINT_ARGS}" ]; then +if [[ "${PUSER_RLIMIT_UNLOCK:-false}" == "true" ]] && command -v ulimit >/dev/null 2>&1; then + ulimit -c 0 >/dev/null 2>&1 + ulimit -l unlimited >/dev/null 2>&1 + ulimit -m unlimited >/dev/null 2>&1 + ulimit -v unlimited >/dev/null 2>&1 + ulimit -x unlimited >/dev/null 2>&1 + ulimit -n 65535 >/dev/null 2>&1 + ulimit -u 262144 >/dev/null 2>&1 +fi +if [[ ! -z "${ENTRYPOINT_CMD}" ]]; then + if [[ -z "${ENTRYPOINT_ARGS}" ]]; then "${ENTRYPOINT_CMD}" else "${ENTRYPOINT_CMD}" $(printf "%q " "${ENTRYPOINT_ARGS[@]}") diff --git a/shared/bin/ics-oui-parse.py b/shared/bin/ics-oui-parse.py index 00cc795d1..88bd984d6 100755 --- a/shared/bin/ics-oui-parse.py +++ b/shared/bin/ics-oui-parse.py @@ -11,9 +11,13 @@ import ruamel.yaml as yaml except ImportError: import yaml -from netaddr import * + +from netaddr import EUI from operator import itemgetter +import malcolm_utils +from malcolm_utils import eprint, str2bool + ################################################################################################### args = None debug = False @@ -24,23 +28,6 @@ padded_mac_low = '00:00:00:00:00:00' padded_mac_high = 'FF:FF:FF:FF:FF:FF' -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) - sys.stderr.flush() - - -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ("yes", "true", "t", "y", "1"): - return True - elif v.lower() in ("no", "false", "f", "n", "0"): - return False - else: - raise ValueError("Boolean value expected") - ################################################################################################### # main @@ -100,14 +87,13 @@ def main(): macPadHigh = macPad + padded_mac_high[-(len(padded_mac_high) - len(macPad)) :] macLow = EUI(macPadLow.replace(':', '-')) macHigh = EUI(macPadHigh.replace(':', '-')) - eui64 = int(macHigh.eui64()) - int(macLow.eui64()) companies.append( { 'name': oui['companyName'], 'low': str(macLow), - #'low': int(re.sub("[.:-]", "", str(macLow)), 16), + # 'low': int(re.sub("[.:-]", "", str(macLow)), 16), 'high': str(macHigh), - #'high': int(re.sub("[.:-]", "", str(macHigh)), 16), + # 'high': int(re.sub("[.:-]", "", str(macHigh)), 16), } ) diff --git a/shared/bin/keystore-bootstrap.sh b/shared/bin/keystore-bootstrap.sh new file mode 100644 index 000000000..f24243523 --- /dev/null +++ b/shared/bin/keystore-bootstrap.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. + +# make sure the keystore file used by the tool (e.g., foobar) is copied or created +# into the correct location before the tool. starts up. +# +# example: +# - /usr/share/foobar/config/persist/foobar.keystore +# - "real" location of keystore file used by foobar +# - /usr/share/foobar/config/bootstrap/foobar.keystore +# - if "persist" keystore does't exist, but "bootstrap" keystore +# does, then copy "bootstrap" keystore to "persist" keystore +# - /usr/share/foobar/config/foobar.keystore +# - symlinks to "persist" keystore (foobar requires this +# to be the file it actually looks at) +# +declare -A KEYSTORE_FILE_MIN_BYTES +KEYSTORE_FILE_MIN_BYTES[opensearch]=196 +KEYSTORE_FILE_MIN_BYTES[logstash]=465 +KEYSTORE_FILE_MIN_BYTES[none]=128 + +# for each "*-keystore" executable in the filesystem... +find / -type f -name "*-keystore" -executable 2>/dev/null | while read KEYSTORE_BIN; do + + # TOOL_PATH is parent of keystore bin, e.g., /usr/share/foobar + TOOL_PATH="$(realpath $(dirname "${KEYSTORE_BIN}")/..)" + + # tool name is just the part before -keystore + TOOL_NAME="$(basename "${KEYSTORE_BIN}" | sed 's/-keystore$//')" + + # keystore bin is like foobar-keystore, keystore file is foobar.keystore + KEYSTORE_NAME="${TOOL_NAME}.keystore" + + [[ -z "${KEYSTORE_FILE_MIN_BYTES["${TOOL_NAME}"]+unset}" ]] && MIN_BYTES=${KEYSTORE_FILE_MIN_BYTES[none]} || MIN_BYTES=${KEYSTORE_FILE_MIN_BYTES["${TOOL_NAME}"]} + + # chdir to tool directory + pushd "${TOOL_PATH}" >/dev/null 2>&1 + + # since ./config/foobar.keystore is going to just be a symlink to ./config/persist/foobar.keystore, + # get it out of the way now if for some reason it already exists + rm -f ./config/"${KEYSTORE_NAME}" + + # does ./config/persist/foobar.keystore exist, and is it big enough to be a real keystore file? ... + if [[ ! -f ./config/persist/"${KEYSTORE_NAME}" ]] || \ + (( $(stat --format=%s ./config/persist/"${KEYSTORE_NAME}" 2>/dev/null || echo 0) < ${MIN_BYTES} )); then + + # ... no, it does not! if there was something there (too small/empty file) remove it + rm -f ./config/persist/"${KEYSTORE_NAME}" + + # does ./config/bootstrap/foobar.keystore exist, and is it big enough to be copied into ./config/persist? ... + if [[ -f ./config/bootstrap/"${KEYSTORE_NAME}" ]] && \ + (( $(stat --format=%s ./config/bootstrap/"${KEYSTORE_NAME}" 2>/dev/null || echo 0) >= ${MIN_BYTES} )); then + + # ... yes, it does! bootstrap becomes the new persist keystore + cp ./config/bootstrap/"${KEYSTORE_NAME}" ./config/persist/"${KEYSTORE_NAME}" + + else + # ... no, it doe not! create a fresh/empty .keystore file at ./config/foobar.keystore and move it to ./config/persist/ + "${KEYSTORE_BIN}" create + mv ./config/"${KEYSTORE_NAME}" ./config/persist/"${KEYSTORE_NAME}" + fi + + fi # check for ./config/persist/foobar.keystore + + # symlink ./config/foobar.keystore to ./config/persist/foobar.keystore + ln -s -r ./config/persist/"${KEYSTORE_NAME}" ./config/"${KEYSTORE_NAME}" + + popd >/dev/null 2>&1 +done # loop over keystore executables (probably just one) + diff --git a/shared/bin/manuf-oui-parse.py b/shared/bin/manuf-oui-parse.py index 4ea487960..7cc0be2f4 100755 --- a/shared/bin/manuf-oui-parse.py +++ b/shared/bin/manuf-oui-parse.py @@ -9,6 +9,9 @@ import sys import tempfile +import malcolm_utils +from malcolm_utils import eprint, str2bool + try: import ruamel.yaml as yaml except ImportError: @@ -25,22 +28,6 @@ scriptPath = os.path.dirname(os.path.realpath(__file__)) origPath = os.getcwd() -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) - - -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ('yes', 'true', 't', 'y', '1'): - return True - elif v.lower() in ('no', 'false', 'f', 'n', '0'): - return False - else: - raise argparse.ArgumentTypeError('Boolean value expected.') - def strip_mac(mac): return mac_pattern.sub("", mac) @@ -57,7 +44,14 @@ def main(): parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) parser.add_argument( - '-v', '--verbose', dest='debug', type=str2bool, nargs='?', const=True, default=False, help="Verbose output" + '-v', + '--verbose', + dest='debug', + type=str2bool, + nargs='?', + const=True, + default=False, + help="Verbose output", ) parser.add_argument( '-i', diff --git a/shared/bin/opensearch_index_size_prune.py b/shared/bin/opensearch_index_size_prune.py index 01783c4a1..16d63933d 100755 --- a/shared/bin/opensearch_index_size_prune.py +++ b/shared/bin/opensearch_index_size_prune.py @@ -4,7 +4,6 @@ import argparse import humanfriendly import json -import malcolm_common import re import requests import os @@ -14,28 +13,15 @@ from collections import defaultdict from requests.auth import HTTPBasicAuth +import malcolm_utils +from malcolm_utils import eprint, str2bool, ParseCurlFile + ################################################################################################### debug = False scriptName = os.path.basename(__file__) scriptPath = os.path.dirname(os.path.realpath(__file__)) urllib3.disable_warnings() -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) - - -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ('yes', 'true', 't', 'y', '1'): - return True - elif v.lower() in ('no', 'false', 'f', 'n', '0'): - return False - else: - raise argparse.ArgumentTypeError('Boolean value expected.') - ################################################################################################### # main @@ -77,7 +63,7 @@ def main(): dest='opensearchCurlRcFile', metavar='', type=str, - default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc'), + default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/curlrc/.opensearch.primary.curlrc'), help='cURL.rc formatted file containing OpenSearch connection parameters', ) parser.add_argument( @@ -147,7 +133,7 @@ def main(): try: parser.error = parser.exit args = parser.parse_args() - except Exception as e: + except Exception: parser.print_help() exit(2) @@ -165,9 +151,7 @@ def main(): args.opensearchIsLocal = args.opensearchIsLocal or (args.opensearchUrl == 'http://opensearch:9200') opensearchCreds = ( - malcolm_common.ParseCurlFile(args.opensearchCurlRcFile) - if (not args.opensearchIsLocal) - else defaultdict(lambda: None) + ParseCurlFile(args.opensearchCurlRcFile) if (not args.opensearchIsLocal) else defaultdict(lambda: None) ) if not args.opensearchUrl: if args.opensearchIsLocal: @@ -209,7 +193,6 @@ def main(): raise Exception(f'Invalid limit percentage {args.limit}') if limitPercent is not None: - # get allocation statistics for node(s) to do percentage calculation esDiskUsageStats = [] osInfoResponse = requests.get( @@ -250,10 +233,10 @@ def main(): # ... # ] if len(esDiskUsageStats) != 1: - raise Exception(f'Unable to determine node, please specify --node if using a percentage limit') + raise Exception('Unable to determine node, please specify --node if using a percentage limit') elif 'disk.total' not in esDiskUsageStats[0]: raise Exception( - f'Unable to determine disk.total for {esDiskUsageStats[0]["node"] if "node" in esDiskUsageStats[0] else node}' + f'Unable to determine disk.total for {esDiskUsageStats[0]["node"] if "node" in esDiskUsageStats[0] else "node"}' ) limitMegabytes = int(float(esDiskUsageStats[0]['disk.total']) * (float(limitPercent) / 100.0)) // 1000000 diff --git a/shared/bin/opensearch_read_only.py b/shared/bin/opensearch_read_only.py index 98278aac7..35c9f210f 100755 --- a/shared/bin/opensearch_read_only.py +++ b/shared/bin/opensearch_read_only.py @@ -6,7 +6,6 @@ import argparse import json import requests -import malcolm_common import os import sys import urllib3 @@ -14,28 +13,15 @@ from collections import defaultdict from requests.auth import HTTPBasicAuth +import malcolm_utils +from malcolm_utils import eprint, str2bool, ParseCurlFile + ################################################################################################### debug = False scriptName = os.path.basename(__file__) scriptPath = os.path.dirname(os.path.realpath(__file__)) urllib3.disable_warnings() -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) - - -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ('yes', 'true', 't', 'y', '1'): - return True - elif v.lower() in ('no', 'false', 'f', 'n', '0'): - return False - else: - raise argparse.ArgumentTypeError('Boolean value expected.') - ################################################################################################### # main @@ -77,7 +63,7 @@ def main(): dest='opensearchCurlRcFile', metavar='', type=str, - default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc'), + default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/curlrc/.opensearch.primary.curlrc'), help='cURL.rc formatted file containing OpenSearch connection parameters', ) parser.add_argument( @@ -133,7 +119,7 @@ def main(): try: parser.error = parser.exit args = parser.parse_args() - except Exception as e: + except Exception: parser.print_help() exit(2) @@ -147,9 +133,7 @@ def main(): args.opensearchIsLocal = args.opensearchIsLocal or (args.opensearchUrl == 'http://opensearch:9200') opensearchCreds = ( - malcolm_common.ParseCurlFile(args.opensearchCurlRcFile) - if (not args.opensearchIsLocal) - else defaultdict(lambda: None) + ParseCurlFile(args.opensearchCurlRcFile) if (not args.opensearchIsLocal) else defaultdict(lambda: None) ) if not args.opensearchUrl: if args.opensearchIsLocal: diff --git a/shared/bin/opensearch_status.sh b/shared/bin/opensearch_status.sh index f14988ede..04b048151 100755 --- a/shared/bin/opensearch_status.sh +++ b/shared/bin/opensearch_status.sh @@ -35,7 +35,7 @@ shift "$(($OPTIND -1))" OPENSEARCH_URL=${OPENSEARCH_URL:-"http://opensearch:9200"} OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"} OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"} -OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"} +OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.primary.curlrc"} if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then CURL_CONFIG_PARAMS=( --config diff --git a/shared/bin/pcap_processor.py b/shared/bin/pcap_processor.py index a458a8672..c8fba5f37 100755 --- a/shared/bin/pcap_processor.py +++ b/shared/bin/pcap_processor.py @@ -12,6 +12,7 @@ import argparse import json +import logging import os import shutil import signal @@ -21,7 +22,20 @@ import time import zmq -from pcap_utils import * +from pcap_utils import ( + FILE_INFO_DICT_NAME, + FILE_INFO_DICT_NODE, + FILE_INFO_DICT_SIZE, + FILE_INFO_DICT_TAGS, + FILE_INFO_FILE_MIME, + FILE_INFO_FILE_TYPE, + PCAP_MIME_TYPES, + PCAP_TOPIC_PORT, + tags_from_filename, +) +import malcolm_utils +from malcolm_utils import eprint, str2bool, AtomicInt, run_process + from multiprocessing.pool import ThreadPool from collections import deque from itertools import chain, repeat @@ -64,9 +78,7 @@ ################################################################################################### -debug = False -verboseDebug = False -debugToggled = False + pdbFlagged = False args = None scriptName = os.path.basename(__file__) @@ -77,6 +89,7 @@ arkimeProvider = os.getenv('ARKIME_ECS_PROVIDER', 'arkime') arkimeDataset = os.getenv('ARKIME_ECS_DATASET', 'session') + ################################################################################################### # handle sigint/sigterm and set a global shutdown variable def shutdown_handler(signum, frame): @@ -91,19 +104,8 @@ def pdb_handler(sig, frame): pdbFlagged = True -################################################################################################### -# handle sigusr2 for toggling debug -def debug_toggle_handler(signum, frame): - global debug - global debugToggled - debug = not debug - debugToggled = True - - ################################################################################################### def arkimeCaptureFileWorker(arkimeWorkerArgs): - global debug - global verboseDebug global shuttingDown global scanWorkersCount global arkimeProvider @@ -111,17 +113,20 @@ def arkimeCaptureFileWorker(arkimeWorkerArgs): scanWorkerId = scanWorkersCount.increment() # unique ID for this thread - newFileQueue, pcapBaseDir, arkimeBin, nodeName, autoTag, notLocked = ( + newFileQueue, pcapBaseDir, arkimeBin, nodeName, autoTag, notLocked, logger = ( arkimeWorkerArgs[0], arkimeWorkerArgs[1], arkimeWorkerArgs[2], arkimeWorkerArgs[3], arkimeWorkerArgs[4], arkimeWorkerArgs[5], + arkimeWorkerArgs[6], ) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\tstarted") + if not logger: + logger = logging + + logger.info(f"{scriptName}[{scanWorkerId}]:\tstarted") # loop forever, or until we're told to shut down while not shuttingDown: @@ -132,7 +137,6 @@ def arkimeCaptureFileWorker(arkimeWorkerArgs): time.sleep(1) else: if isinstance(fileInfo, dict) and (FILE_INFO_DICT_NAME in fileInfo): - if pcapBaseDir and os.path.isdir(pcapBaseDir): fileInfo[FILE_INFO_DICT_NAME] = os.path.join(pcapBaseDir, fileInfo[FILE_INFO_DICT_NAME]) @@ -147,8 +151,7 @@ def arkimeCaptureFileWorker(arkimeWorkerArgs): if ((FILE_INFO_DICT_TAGS in fileInfo) and autoTag) else list() ) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🔎\t{fileInfo}") + logger.info(f"{scriptName}[{scanWorkerId}]:\t🔎\t{fileInfo}") # put together arkime execution command cmd = [ @@ -169,32 +172,27 @@ def arkimeCaptureFileWorker(arkimeWorkerArgs): cmd.extend(list(chain.from_iterable(zip(repeat('-t'), fileInfo[FILE_INFO_DICT_TAGS])))) # execute capture for pcap file - retcode, output = run_process(cmd, debug=verboseDebug) + retcode, output = run_process(cmd, logger=logger) if retcode == 0: - if debug: - eprint( - f"{scriptName}[{scanWorkerId}]:\t✅\t{os.path.basename(fileInfo[FILE_INFO_DICT_NAME])}" - ) + logger.info( + f"{scriptName}[{scanWorkerId}]:\t✅\t{os.path.basename(fileInfo[FILE_INFO_DICT_NAME])}" + ) else: - if debug: - eprint( - f"{scriptName}[{scanWorkerId}]:\t❗\t{arkimeBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} returned {retcode} {output if verboseDebug else ''}" - ) + logger.warning( + f"{scriptName}[{scanWorkerId}]:\t❗\t{arkimeBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} returned {retcode} {output}" + ) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\tfinished") + logger.info(f"{scriptName}[{scanWorkerId}]:\tfinished") ################################################################################################### def zeekFileWorker(zeekWorkerArgs): - global debug - global verboseDebug global shuttingDown global scanWorkersCount scanWorkerId = scanWorkersCount.increment() # unique ID for this thread - newFileQueue, pcapBaseDir, zeekBin, autoZeek, forceZeek, autoTag, uploadDir, defaultExtractFileMode = ( + newFileQueue, pcapBaseDir, zeekBin, autoZeek, forceZeek, autoTag, uploadDir, defaultExtractFileMode, logger = ( zeekWorkerArgs[0], zeekWorkerArgs[1], zeekWorkerArgs[2], @@ -203,10 +201,13 @@ def zeekFileWorker(zeekWorkerArgs): zeekWorkerArgs[5], zeekWorkerArgs[6], zeekWorkerArgs[7], + zeekWorkerArgs[8], ) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\tstarted") + if not logger: + logger = logging + + logger.info(f"{scriptName}[{scanWorkerId}]:\tstarted") # loop forever, or until we're told to shut down while not shuttingDown: @@ -217,7 +218,6 @@ def zeekFileWorker(zeekWorkerArgs): time.sleep(1) else: if isinstance(fileInfo, dict) and (FILE_INFO_DICT_NAME in fileInfo) and os.path.isdir(uploadDir): - if pcapBaseDir and os.path.isdir(pcapBaseDir): fileInfo[FILE_INFO_DICT_NAME] = os.path.join(pcapBaseDir, fileInfo[FILE_INFO_DICT_NAME]) @@ -237,7 +237,6 @@ def zeekFileWorker(zeekWorkerArgs): ) ) ): - extractFileMode = defaultExtractFileMode # if file carving was specified via tag, make note of it @@ -260,13 +259,11 @@ def zeekFileWorker(zeekWorkerArgs): if ((FILE_INFO_DICT_TAGS in fileInfo) and autoTag) else list() ) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🔎\t{fileInfo}") + logger.info(f"{scriptName}[{scanWorkerId}]:\t🔎\t{fileInfo}") # create a temporary work directory where zeek will be executed to generate the log files with tempfile.TemporaryDirectory() as tmpLogDir: if os.path.isdir(tmpLogDir): - processTimeUsec = int(round(time.time() * 1000000)) # use Zeek to process the pcap @@ -282,17 +279,15 @@ def zeekFileWorker(zeekWorkerArgs): # execute zeek with the cwd of tmpLogDir so that's where the logs go, and with the updated file carving environment variable zeekEnv = os.environ.copy() zeekEnv[ZEEK_EXTRACTOR_MODE_ENV_VAR] = extractFileMode - retcode, output = run_process(zeekCmd, cwd=tmpLogDir, env=zeekEnv, debug=verboseDebug) + retcode, output = run_process(zeekCmd, cwd=tmpLogDir, env=zeekEnv, logger=logger) if retcode == 0: - if debug: - eprint( - f"{scriptName}[{scanWorkerId}]:\t✅\t{os.path.basename(fileInfo[FILE_INFO_DICT_NAME])}" - ) + logger.info( + f"{scriptName}[{scanWorkerId}]:\t✅\t{os.path.basename(fileInfo[FILE_INFO_DICT_NAME])}" + ) else: - if debug: - eprint( - f"{scriptName}[{scanWorkerId}]:\t❗\t{zeekBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} returned {retcode} {output if verboseDebug else ''}" - ) + logger.info( + f"{scriptName}[{scanWorkerId}]:\t❗\t{zeekBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} returned {retcode} {output}" + ) # clean up the .state directory we don't care to keep tmpStateDir = os.path.join(tmpLogDir, ZEEK_STATE_DIR) @@ -302,7 +297,6 @@ def zeekFileWorker(zeekWorkerArgs): # make sure log files were generated logFiles = [logFile for logFile in os.listdir(tmpLogDir) if logFile.endswith('.log')] if len(logFiles) > 0: - # tar up the results tgzFileName = os.path.join( tmpLogDir, @@ -321,36 +315,30 @@ def zeekFileWorker(zeekWorkerArgs): # the way Docker volume mounts work, ie. avoid "OSError: [Errno 18] Invalid cross-device link"). # we don't have to explicitly delete it since this whole directory is about to leave context and be removed shutil.copy(tgzFileName, uploadDir) - if verboseDebug: - eprint(f"{scriptName}[{scanWorkerId}]:\t⏩\t{tgzFileName} → {uploadDir}") + logger.debug(f"{scriptName}[{scanWorkerId}]:\t⏩\t{tgzFileName} → {uploadDir}") else: # zeek returned no log files (or an error) - if debug: - eprint( - f"{scriptName}[{scanWorkerId}]:\t❓\t{zeekBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} generated no log files" - ) + logger.warning( + f"{scriptName}[{scanWorkerId}]:\t❓\t{zeekBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} generated no log files" + ) else: - if debug: - eprint( - f"{scriptName}[{scanWorkerId}]:\t❗\terror creating temporary directory {tmpLogDir}" - ) + logger.warning( + f"{scriptName}[{scanWorkerId}]:\t❗\terror creating temporary directory {tmpLogDir}" + ) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\tfinished") + logger.info(f"{scriptName}[{scanWorkerId}]:\tfinished") ################################################################################################### def suricataFileWorker(suricataWorkerArgs): - global debug - global verboseDebug global shuttingDown global scanWorkersCount scanWorkerId = scanWorkersCount.increment() # unique ID for this thread - newFileQueue, pcapBaseDir, autoSuricata, forceSuricata, suricataBin, autoTag, uploadDir, suricataConfig = ( + newFileQueue, pcapBaseDir, autoSuricata, forceSuricata, suricataBin, autoTag, uploadDir, suricataConfig, logger = ( suricataWorkerArgs[0], suricataWorkerArgs[1], suricataWorkerArgs[2], @@ -359,10 +347,13 @@ def suricataFileWorker(suricataWorkerArgs): suricataWorkerArgs[5], suricataWorkerArgs[6], suricataWorkerArgs[7], + suricataWorkerArgs[8], ) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\tstarted") + if not logger: + logger = logging + + logger.info(f"{scriptName}[{scanWorkerId}]:\tstarted") # loop forever, or until we're told to shut down while not shuttingDown: @@ -373,7 +364,6 @@ def suricataFileWorker(suricataWorkerArgs): time.sleep(1) else: if isinstance(fileInfo, dict) and (FILE_INFO_DICT_NAME in fileInfo): - # Suricata this PCAP if it's tagged "AUTOSURICATA" or if the global autoSuricata flag is turned on. # However, skip "live" PCAPs Malcolm is capturing and rotating through for Arkime capture, # as Suricata now does its own network capture in Malcolm standalone mode. @@ -391,12 +381,10 @@ def suricataFileWorker(suricataWorkerArgs): ) ) ): - if pcapBaseDir and os.path.isdir(pcapBaseDir): fileInfo[FILE_INFO_DICT_NAME] = os.path.join(pcapBaseDir, fileInfo[FILE_INFO_DICT_NAME]) if os.path.isfile(fileInfo[FILE_INFO_DICT_NAME]): - # finalize tags list fileInfo[FILE_INFO_DICT_TAGS] = ( [ @@ -407,13 +395,11 @@ def suricataFileWorker(suricataWorkerArgs): if ((FILE_INFO_DICT_TAGS in fileInfo) and autoTag) else list() ) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🔎\t{fileInfo}") + logger.info(f"{scriptName}[{scanWorkerId}]:\t🔎\t{fileInfo}") # create a temporary work directory where suricata will be executed to generate the log files with tempfile.TemporaryDirectory() as tmpLogDir: if os.path.isdir(tmpLogDir): - processTimeUsec = int(round(time.time() * 1000000)) # put together suricata execution command @@ -428,7 +414,7 @@ def suricataFileWorker(suricataWorkerArgs): ] # execute suricata-capture for pcap file - retcode, output = run_process(cmd, debug=verboseDebug) + retcode, output = run_process(cmd, logger=logger) eveJsonFile = os.path.join(tmpLogDir, "eve.json") if os.path.isfile(eveJsonFile): @@ -444,30 +430,25 @@ def suricataFileWorker(suricataWorkerArgs): ) if retcode == 0: - if debug: - eprint( - f"{scriptName}[{scanWorkerId}]:\t✅\t{os.path.basename(fileInfo[FILE_INFO_DICT_NAME])}" - ) + logger.info( + f"{scriptName}[{scanWorkerId}]:\t✅\t{os.path.basename(fileInfo[FILE_INFO_DICT_NAME])}" + ) else: - if debug: - eprint( - f"{scriptName}[{scanWorkerId}]:\t❗\t{suricataBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} returned {retcode} {output if verboseDebug else ''}" - ) + logger.warning( + f"{scriptName}[{scanWorkerId}]:\t❗\t{suricataBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} returned {retcode} {output}" + ) else: - if debug: - eprint( - f"{scriptName}[{scanWorkerId}]:\t❗\terror creating temporary directory {tmpLogDir}" - ) + logger.warning( + f"{scriptName}[{scanWorkerId}]:\t❗\terror creating temporary directory {tmpLogDir}" + ) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\tfinished") + logger.info(f"{scriptName}[{scanWorkerId}]:\tfinished") ################################################################################################### # main def main(): - processingMode = None if 'pcap_processor' in scriptName: eprint( @@ -487,36 +468,11 @@ def main(): exit(2) global args - global debug - global debugToggled global pdbFlagged global shuttingDown - global verboseDebug parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) - parser.add_argument( - '-v', - '--verbose', - dest='debug', - help="Verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) - parser.add_argument( - '--extra-verbose', - dest='verboseDebug', - help="Super verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) + parser.add_argument('--verbose', '-v', action='count', default=1, help='Increase verbosity (e.g., -v, -vv, etc.)') parser.add_argument( '--start-sleep', dest='startSleepSec', @@ -698,20 +654,20 @@ def main(): parser.print_help() exit(2) - verboseDebug = args.verboseDebug - debug = args.debug or verboseDebug - if debug: - eprint(os.path.join(scriptPath, scriptName)) - eprint("{} arguments: {}".format(scriptName, sys.argv[1:])) - eprint("{} arguments: {}".format(scriptName, args)) - else: + args.verbose = logging.ERROR - (10 * args.verbose) if args.verbose > 0 else 0 + logging.basicConfig( + level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S' + ) + logging.info(os.path.join(scriptPath, scriptName)) + logging.info("Arguments: {}".format(sys.argv[1:])) + logging.info("Arguments: {}".format(args)) + if args.verbose > logging.DEBUG: sys.tracebacklimit = 0 # handle sigint and sigterm for graceful shutdown signal.signal(signal.SIGINT, shutdown_handler) signal.signal(signal.SIGTERM, shutdown_handler) signal.signal(signal.SIGUSR1, pdb_handler) - signal.signal(signal.SIGUSR2, debug_toggle_handler) # sleep for a bit if requested sleepCount = 0 @@ -728,15 +684,14 @@ def main(): new_files_socket.setsockopt(zmq.SUBSCRIBE, b"") # All topics new_files_socket.setsockopt(zmq.LINGER, 0) # All topics new_files_socket.RCVTIMEO = 1500 - if debug: - eprint(f"{scriptName}:\tsubscribed to topic at {PCAP_TOPIC_PORT}") + logging.info(f"{scriptName}:\tsubscribed to topic at {PCAP_TOPIC_PORT}") # we'll pull from the topic in the main thread and queue them for processing by the worker threads newFileQueue = deque() # start worker threads which will pull filenames/tags to be processed by capture if processingMode == PCAP_PROCESSING_MODE_ARKIME: - scannerThreads = ThreadPool( + ThreadPool( args.threads, arkimeCaptureFileWorker, ( @@ -747,11 +702,12 @@ def main(): args.nodeName, args.autoTag, args.notLocked, + logging, ], ), ) elif processingMode == PCAP_PROCESSING_MODE_ZEEK: - scannerThreads = ThreadPool( + ThreadPool( args.threads, zeekFileWorker, ( @@ -764,11 +720,12 @@ def main(): args.autoTag, args.zeekUploadDir, args.zeekExtractFileMode, + logging, ], ), ) elif processingMode == PCAP_PROCESSING_MODE_SURICATA: - scannerThreads = ThreadPool( + ThreadPool( args.threads, suricataFileWorker, ( @@ -781,6 +738,7 @@ def main(): args.autoTag, args.suricataUploadDir, args.suricataConfigFile, + logging, ], ), ) @@ -794,21 +752,17 @@ def main(): # accept a file info dict from new_files_socket as json try: fileInfo = json.loads(new_files_socket.recv_string()) - except zmq.Again as timeout: + except zmq.Again: # no file received due to timeout, we'll go around and try again - if verboseDebug: - eprint(f"{scriptName}:\t🕑\t(recv)") fileInfo = None if isinstance(fileInfo, dict) and (FILE_INFO_DICT_NAME in fileInfo): # queue for the workers to process with capture newFileQueue.append(fileInfo) - if debug: - eprint(f"{scriptName}:\t📨\t{fileInfo}") + logging.info(f"{scriptName}:\t📨\t{fileInfo}") # graceful shutdown - if debug: - eprint(f"{scriptName}: shutting down...") + logging.info(f"{scriptName}: shutting down...") time.sleep(5) diff --git a/shared/bin/pcap_utils.py b/shared/bin/pcap_utils.py index b1c166a2a..2c9bf4f57 100644 --- a/shared/bin/pcap_utils.py +++ b/shared/bin/pcap_utils.py @@ -23,123 +23,6 @@ FILE_INFO_FILE_MIME = "mime" FILE_INFO_DICT_NODE = "node" -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) - sys.stderr.flush() - - -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ('yes', 'true', 't', 'y', '1'): - return True - elif v.lower() in ('no', 'false', 'f', 'n', '0'): - return False - else: - raise argparse.ArgumentTypeError('Boolean value expected.') - - -################################################################################################### -# strip a prefix from the beginning of a string if needed -def remove_prefix(text, prefix): - if (len(prefix) > 0) and text.startswith(prefix): - return text[len(prefix) :] - else: - return text - - -################################################################################################### -# open a file and close it, updating its access time -def touch(filename): - open(filename, 'a').close() - os.utime(filename, None) - - -################################################################################################### -# run command with arguments and return its exit code, stdout, and stderr -def check_output_input(*popenargs, **kwargs): - - if 'stdout' in kwargs: - raise ValueError('stdout argument not allowed, it will be overridden') - - if 'stderr' in kwargs: - raise ValueError('stderr argument not allowed, it will be overridden') - - if 'input' in kwargs and kwargs['input']: - if 'stdin' in kwargs: - raise ValueError('stdin and input arguments may not both be used') - inputdata = kwargs['input'] - kwargs['stdin'] = PIPE - else: - inputdata = None - kwargs.pop('input', None) - - process = Popen(*popenargs, stdout=PIPE, stderr=PIPE, **kwargs) - try: - output, errput = process.communicate(inputdata) - except: - process.kill() - process.wait() - raise - - retcode = process.poll() - - return retcode, output, errput - - -################################################################################################### -# run command with arguments and return its exit code and output -def run_process(command, stdout=True, stderr=True, stdin=None, cwd=None, env=None, debug=False): - - retcode = -1 - output = [] - - try: - # run the command - retcode, cmdout, cmderr = check_output_input(command, input=stdin.encode() if stdin else None, cwd=cwd, env=env) - - # split the output on newlines to return a list - if stderr and (len(cmderr) > 0): - output.extend(cmderr.decode(sys.getdefaultencoding()).split('\n')) - if stdout and (len(cmdout) > 0): - output.extend(cmdout.decode(sys.getdefaultencoding()).split('\n')) - - except (FileNotFoundError, OSError, IOError) as e: - if stderr: - output.append("Command {} not found or unable to execute".format(command)) - - if debug: - eprint( - "{}{} returned {}: {}".format( - command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output - ) - ) - - return retcode, output - - -################################################################################################### -class AtomicInt: - def __init__(self, value=0): - self.val = RawValue('i', value) - self.lock = Lock() - - def increment(self): - with self.lock: - self.val.value += 1 - return self.val.value - - def decrement(self): - with self.lock: - self.val.value -= 1 - return self.val.value - - def value(self): - with self.lock: - return self.val.value - ################################################################################################### # split a PCAP filename up into tags diff --git a/shared/bin/pcap_watcher.py b/shared/bin/pcap_watcher.py index 34846d2dd..f275493d4 100755 --- a/shared/bin/pcap_watcher.py +++ b/shared/bin/pcap_watcher.py @@ -14,22 +14,39 @@ import json import logging import magic -import malcolm_common import os import pathlib -import pyinotify import signal import sys import time import zmq -from pcap_utils import * +from pcap_utils import ( + FILE_INFO_DICT_NAME, + FILE_INFO_DICT_NODE, + FILE_INFO_DICT_SIZE, + FILE_INFO_DICT_TAGS, + FILE_INFO_FILE_MIME, + FILE_INFO_FILE_TYPE, + PCAP_MIME_TYPES, + PCAP_TOPIC_PORT, + tags_from_filename, +) +import malcolm_utils +from malcolm_utils import eprint, str2bool, ParseCurlFile, remove_prefix, touch +import watch_common + from collections import defaultdict +from multiprocessing.pool import ThreadPool from opensearchpy import OpenSearch, Search from opensearchpy.exceptions import ConnectionError, ConnectionTimeout from urllib3.exceptions import NewConnectionError +from watchdog.observers import Observer +from watchdog.observers.polling import PollingObserver +from watchdog.utils import WatchdogShutdown + ################################################################################################### MINIMUM_CHECKED_FILE_SIZE_DEFAULT = 24 MAXIMUM_CHECKED_FILE_SIZE_DEFAULT = 32 * 1024 * 1024 * 1024 @@ -41,32 +58,27 @@ ARKIME_FILE_SIZE_FIELD = "filesize" ################################################################################################### -debug = False -verboseDebug = False pdbFlagged = False args = None opensearchHttpAuth = None scriptName = os.path.basename(__file__) scriptPath = os.path.dirname(os.path.realpath(__file__)) origPath = os.getcwd() -shuttingDown = False +shuttingDown = [False] DEFAULT_NODE_NAME = os.getenv('PCAP_NODE_NAME', 'malcolm') ################################################################################################### # watch files written to and moved to this directory -class EventWatcher(pyinotify.ProcessEvent): - # notify on files written in-place then closed (IN_CLOSE_WRITE), and moved into this directory (IN_MOVED_TO) - _methods = ["IN_CLOSE_WRITE", "IN_MOVED_TO"] - - def __init__(self): +class EventWatcher: + def __init__(self, logger=None): global args global opensearchHttpAuth - global debug - global verboseDebug + global shuttingDown super().__init__() + self.logger = logger if logger else logging self.useOpenSearch = False self.openSearchClient = None @@ -76,11 +88,10 @@ def __init__(self): healthy = False # create the connection to OpenSearch - while (not connected) and (not shuttingDown): + while (not connected) and (not shuttingDown[0]): try: try: - if debug: - eprint(f"{scriptName}:\tconnecting to OpenSearch {args.opensearchUrl}...") + self.logger.info(f"{scriptName}:\tconnecting to OpenSearch {args.opensearchUrl}...") self.openSearchClient = OpenSearch( hosts=[args.opensearchUrl], @@ -91,16 +102,14 @@ def __init__(self): request_timeout=1, ) - if verboseDebug: - eprint(f"{scriptName}:\t{self.openSearchClient.cluster.health()}") + self.logger.debug(f"{scriptName}:\t{self.openSearchClient.cluster.health()}") self.openSearchClient.cluster.health( wait_for_status='red', request_timeout=1, ) - if verboseDebug: - eprint(f"{scriptName}:\t{self.openSearchClient.cluster.health()}") + self.logger.debug(f"{scriptName}:\t{self.openSearchClient.cluster.health()}") connected = self.openSearchClient is not None if not connected: @@ -112,12 +121,12 @@ def __init__(self): ConnectionRefusedError, NewConnectionError, ) as connError: - if debug: - eprint(f"{scriptName}:\tOpenSearch connection error: {connError}") + self.logger.error(f"{scriptName}:\tOpenSearch connection error: {connError}") except Exception as genericError: - if debug: - eprint(f"{scriptName}:\tUnexpected exception while connecting to OpenSearch: {genericError}") + self.logger.error( + f"{scriptName}:\tUnexpected exception while connecting to OpenSearch: {genericError}" + ) if (not connected) and args.opensearchWaitForHealth: time.sleep(1) @@ -127,16 +136,14 @@ def __init__(self): break # if requested, wait for at least "yellow" health in the cluster for the "files" index - while connected and args.opensearchWaitForHealth and (not healthy) and (not shuttingDown): + while connected and args.opensearchWaitForHealth and (not healthy) and (not shuttingDown[0]): try: - if debug: - eprint(f"{scriptName}:\twaiting for OpenSearch to be healthy") + self.logger.info(f"{scriptName}:\twaiting for OpenSearch to be healthy") self.openSearchClient.cluster.health( index=ARKIME_FILES_INDEX, wait_for_status='yellow', ) - if verboseDebug: - eprint(f"{scriptName}:\t{self.openSearchClient.cluster.health()}") + self.logger.debug(f"{scriptName}:\t{self.openSearchClient.cluster.health()}") healthy = True except ( @@ -145,8 +152,7 @@ def __init__(self): ConnectionRefusedError, NewConnectionError, ) as connError: - if verboseDebug: - eprint(f"{scriptName}:\tOpenSearch health check: {connError}") + self.logger.debug(f"{scriptName}:\tOpenSearch health check: {connError}") if not healthy: time.sleep(1) @@ -157,8 +163,7 @@ def __init__(self): self.context = zmq.Context() # Socket to send messages on - if debug: - eprint(f"{scriptName}:\tbinding publisher port {PCAP_TOPIC_PORT}") + self.logger.info(f"{scriptName}:\tbinding publisher port {PCAP_TOPIC_PORT}") self.topic_socket = self.context.socket(zmq.PUB) self.topic_socket.bind(f"tcp://*:{PCAP_TOPIC_PORT}") @@ -166,34 +171,27 @@ def __init__(self): # and if he can't then what's the point? just block # self.topic_socket.SNDTIMEO = 5000 - if debug: - eprint(f"{scriptName}:\tEventWatcher initialized") + self.logger.info(f"{scriptName}:\tEventWatcher initialized") - -################################################################################################### -# set up event processor to append processed events from to the event queue -def event_process_generator(cls, method): - # actual method called when we are notified of a file - def _method_name(self, event): + ################################################################################################### + # set up event processor to append processed events from to the event queue + def processFile(self, pathname): global args - global debug - global verboseDebug - if debug: - eprint(f"{scriptName}:\t👓\t{event.pathname}") + self.logger.info(f"{scriptName}:\t👓\t{pathname}") # the entity must be a regular PCAP file and actually exist - if (not event.dir) and os.path.isfile(event.pathname): + if os.path.isfile(pathname): # get the file magic description and mime type - fileMime = magic.from_file(event.pathname, mime=True) - fileType = magic.from_file(event.pathname) + fileMime = magic.from_file(pathname, mime=True) + fileType = magic.from_file(pathname) # get the file size, in bytes to compare against sane values - fileSize = os.path.getsize(event.pathname) + fileSize = os.path.getsize(pathname) if (args.minBytes <= fileSize <= args.maxBytes) and ( (fileMime in PCAP_MIME_TYPES) or ('pcap-ng' in fileType) ): - relativePath = remove_prefix(event.pathname, os.path.join(args.baseDir, '')) + relativePath = remove_prefix(pathname, os.path.join(args.baseDir, '')) # check with Arkime's files index in OpenSearch and make sure it's not a duplicate fileIsDuplicate = False @@ -212,16 +210,14 @@ def _method_name(self, event): if fileIsDuplicate: # this is duplicate file (it's been processed before) so ignore it - if debug: - eprint(f"{scriptName}:\t📋\t{event.pathname}") + self.logger.info(f"{scriptName}:\t📋\t{pathname}") else: # the entity is a right-sized non-duplicate file, and it exists, so send it to get processed - if debug: - eprint(f"{scriptName}:\t📩\t{event.pathname}") + self.logger.info(f"{scriptName}:\t📩\t{pathname}") try: fileInfo = { - FILE_INFO_DICT_NAME: event.pathname if args.includeAbsolutePath else relativePath, + FILE_INFO_DICT_NAME: pathname if args.includeAbsolutePath else relativePath, FILE_INFO_DICT_SIZE: fileSize, FILE_INFO_FILE_MIME: fileMime, FILE_INFO_FILE_TYPE: fileType, @@ -229,27 +225,25 @@ def _method_name(self, event): FILE_INFO_DICT_TAGS: tags_from_filename(relativePath), } self.topic_socket.send_string(json.dumps(fileInfo)) - if debug: - eprint(f"{scriptName}:\t📫\t{fileInfo}") - except zmq.Again as timeout: - if verboseDebug: - eprint(f"{scriptName}:\t🕑\t{event.pathname}") + self.logger.info(f"{scriptName}:\t📫\t{fileInfo}") + except zmq.Again: + self.logger.debug(f"{scriptName}:\t🕑\t{pathname}") else: # too small/big to care about, or the wrong type, ignore it - if debug: - eprint(f"{scriptName}:\t✋\t{event.pathname}") + self.logger.info(f"{scriptName}:\t✋\t{pathname}") + - # assign process method to class - _method_name.__name__ = "process_{}".format(method) - setattr(cls, _method_name.__name__, _method_name) +def file_processor(pathname, **kwargs): + if "watcher" in kwargs and kwargs["watcher"]: + kwargs["watcher"].processFile(pathname) ################################################################################################### # handle sigint/sigterm and set a global shutdown variable def shutdown_handler(signum, frame): global shuttingDown - shuttingDown = True + shuttingDown[0] = True ################################################################################################### @@ -259,51 +253,16 @@ def pdb_handler(sig, frame): pdbFlagged = True -################################################################################################### -# handle sigusr2 for toggling debug -def debug_toggle_handler(signum, frame): - global debug - global debugToggled - debug = not debug - debugToggled = True - - ################################################################################################### # main def main(): global args global opensearchHttpAuth - global debug - global verboseDebug - global debugToggled global pdbFlagged global shuttingDown parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) - parser.add_argument( - '-v', - '--verbose', - dest='debug', - help="Verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) - parser.add_argument( - '--extra-verbose', - dest='verboseDebug', - help="Super verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) - + parser.add_argument('--verbose', '-v', action='count', default=1, help='Increase verbosity (e.g., -v, -vv, etc.)') parser.add_argument( '--min-bytes', dest='minBytes', @@ -336,7 +295,7 @@ def main(): dest='opensearchCurlRcFile', metavar='', type=str, - default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc'), + default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/curlrc/.opensearch.primary.curlrc'), help='cURL.rc formatted file containing OpenSearch connection parameters', ) parser.add_argument( @@ -418,6 +377,28 @@ def main(): type=str, required=False, ) + parser.add_argument( + '-p', + '--polling', + dest='polling', + help="Use polling (instead of inotify)", + metavar='true|false', + type=str2bool, + nargs='?', + const=True, + default=os.getenv('PCAP_PIPELINE_POLLING', False), + required=False, + ) + parser.add_argument( + '-c', + '--closed-sec', + dest='assumeClosedSec', + help="When polling, assume a file is closed after this many seconds of inactivity", + metavar='', + type=int, + default=int(os.getenv('PCAP_PIPELINE_POLLING_ASSUME_CLOSED_SEC', str(watch_common.ASSUME_CLOSED_SEC_DEFAULT))), + required=False, + ) requiredNamed = parser.add_argument_group('required arguments') requiredNamed.add_argument( '-d', '--directory', dest='baseDir', help='Directory to monitor', metavar='', type=str, required=True @@ -430,22 +411,19 @@ def main(): parser.print_help() exit(2) - verboseDebug = args.verboseDebug - debug = args.debug or verboseDebug - if debug: - eprint(os.path.join(scriptPath, scriptName)) - eprint("{} arguments: {}".format(scriptName, sys.argv[1:])) - eprint("{} arguments: {}".format(scriptName, args)) - else: + args.verbose = logging.ERROR - (10 * args.verbose) if args.verbose > 0 else 0 + logging.basicConfig( + level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S' + ) + logging.info(os.path.join(scriptPath, scriptName)) + logging.info("Arguments: {}".format(sys.argv[1:])) + logging.info("Arguments: {}".format(args)) + if args.verbose > logging.DEBUG: sys.tracebacklimit = 0 - logging.basicConfig(level=logging.ERROR) - args.opensearchIsLocal = args.opensearchIsLocal or (args.opensearchUrl == 'http://opensearch:9200') opensearchCreds = ( - malcolm_common.ParseCurlFile(args.opensearchCurlRcFile) - if (not args.opensearchIsLocal) - else defaultdict(lambda: None) + ParseCurlFile(args.opensearchCurlRcFile) if (not args.opensearchIsLocal) else defaultdict(lambda: None) ) if not args.opensearchUrl: if args.opensearchIsLocal: @@ -460,25 +438,19 @@ def main(): signal.signal(signal.SIGINT, shutdown_handler) signal.signal(signal.SIGTERM, shutdown_handler) signal.signal(signal.SIGUSR1, pdb_handler) - signal.signal(signal.SIGUSR2, debug_toggle_handler) # sleep for a bit if requested sleepCount = 0 - while (not shuttingDown) and (sleepCount < args.startSleepSec): + while (not shuttingDown[0]) and (sleepCount < args.startSleepSec): time.sleep(1) sleepCount += 1 - # add events to watch to EventWatcher class - for method in EventWatcher._methods: - event_process_generator(EventWatcher, method) - # if directory to monitor doesn't exist, create it now if os.path.isdir(args.baseDir): preexistingDir = True else: preexistingDir = False - if debug: - eprint(f'{scriptName}: creating "{args.baseDir}" to monitor') + logging.info(f'{scriptName}:\tcreating "{args.baseDir}" to monitor') pathlib.Path(args.baseDir).mkdir(parents=False, exist_ok=True) # if recursion was requested, get list of directories to monitor @@ -492,44 +464,77 @@ def main(): # begin threaded watch of path(s) time.sleep(1) - event_notifier_started = False - watch_manager = pyinotify.WatchManager() - event_notifier = pyinotify.ThreadedNotifier(watch_manager, EventWatcher()) + observer = PollingObserver() if args.polling else Observer() + handler = watch_common.FileOperationEventHandler( + logger=None, + polling=args.polling, + ) for watchDir in watchDirs: - watch_manager.add_watch(os.path.abspath(watchDir), pyinotify.ALL_EVENTS) - if debug: - eprint(f"{scriptName}: monitoring {watchDirs}") - time.sleep(2) - if not shuttingDown: - event_notifier.start() - event_notifier_started = True - - # if there are any previously included files (and not ignoreExisting), "touch" them so that they will be notified on - if preexistingDir and (not args.ignoreExisting) and (not shuttingDown): - filesTouched = 0 - for watchDir in watchDirs: - for preexistingFile in [os.path.join(watchDir, x) for x in pathlib.Path(watchDir).iterdir() if x.is_file()]: - touch(preexistingFile) - filesTouched += 1 - if debug and (filesTouched > 0): - eprint(f"{scriptName}: found {filesTouched} preexisting files to check") - - # loop forever, or until we're told to shut down, whichever comes first - while not shuttingDown: - if pdbFlagged: - pdbFlagged = False - breakpoint() - time.sleep(0.2) - - # graceful shutdown - if debug: - eprint(f"{scriptName}: shutting down...") - if event_notifier_started: - event_notifier.stop() + logging.debug(f"{scriptName}:\tScheduling {watchDir}") + observer.schedule(handler, watchDir, recursive=False) + + observer.start() + + logging.info(f"{scriptName}:\tmonitoring {watchDirs}") + + try: + time.sleep(2) + + # if there are any previously included files (and not ignoreExisting), "touch" them so that they will be notified on + if preexistingDir and (not args.ignoreExisting) and (not shuttingDown[0]): + filesTouched = 0 + for watchDir in watchDirs: + for preexistingFile in [ + os.path.join(watchDir, x) for x in pathlib.Path(watchDir).iterdir() if x.is_file() + ]: + touch(preexistingFile) + filesTouched += 1 + if filesTouched > 0: + logging.info(f"{scriptName}:\tfound {filesTouched} preexisting files to check") + + # start the thread to actually handle the files as they're queued by the FileOperationEventHandler handler + workerThreadCount = malcolm_utils.AtomicInt(value=0) + ThreadPool( + 1, + watch_common.ProcessFileEventWorker( + [ + handler, + observer, + file_processor, + {'watcher': EventWatcher(logger=logging)}, + args.assumeClosedSec, + workerThreadCount, + shuttingDown, + logging, + ], + ), + ) + + # loop forever, or until we're told to shut down, whichever comes first + while (not shuttingDown[0]) and observer.is_alive(): + if pdbFlagged: + pdbFlagged = False + breakpoint() + observer.join(1) + + # graceful shutdown + logging.info(f"{scriptName}:\tshutting down...") + + if shuttingDown[0]: + raise WatchdogShutdown() + + except WatchdogShutdown: + observer.unschedule_all() + + finally: + observer.stop() + observer.join() + time.sleep(1) + while workerThreadCount.value() > 0: + time.sleep(1) - if debug: - eprint(f"{scriptName}: finished monitoring {watchDirs}") + logging.info(f"{scriptName}:\tfinished monitoring {watchDirs}") if __name__ == '__main__': diff --git a/shared/bin/sensor-capture-disk-config.py b/shared/bin/sensor-capture-disk-config.py index afa77cf78..b5f82f7e0 100755 --- a/shared/bin/sensor-capture-disk-config.py +++ b/shared/bin/sensor-capture-disk-config.py @@ -17,9 +17,10 @@ import argparse import fileinput from collections import defaultdict -from sensorcommon import * from fstab import Fstab +from malcolm_utils import remove_prefix, str2bool, sizeof_fmt, run_process, eprint + MINIMUM_CAPTURE_DEVICE_BYTES = 100 * 1024 * 1024 * 1024 # 100GiB CAPTURE_MOUNT_ROOT_PATH = "/capture" CAPTURE_MOUNT_PCAP_DIR = "pcap" @@ -37,6 +38,7 @@ debug = False + ################################################################################################### # used to map output of lsblk class PartitionInfo: @@ -74,6 +76,7 @@ def CreateMapperDeviceName(device): ################################################################################################### + ################################################################################################### # determine if a device (eg., sda) is an internal (True) or removable (False) device def IsInternalDevice(name): @@ -124,7 +127,6 @@ def GetDeviceSize(device): # main ################################################################################################### def main(): - # to parse fdisk output, look for partitions after partitions header line fdisk_pars_begin_pattern = re.compile(r'^Device\s+Start\s+End\s+Sectors\s+Size\s+Type\s*$') # to parse partitions from fdisk output after parted creates partition table @@ -194,9 +196,9 @@ def main(): # unmount existing mounts if requested if args.umount and (not args.dryrun): - if (not args.interactive) or YesOrNo(f'Unmount any mounted capture path(s)?'): + if (not args.interactive) or YesOrNo('Unmount any mounted capture path(s)?'): if debug: - eprint(f"Attempting unmount of capture path(s)...") + eprint("Attempting unmount of capture path(s)...") run_process(f"umount {os.path.join(CAPTURE_MOUNT_ROOT_PATH, CAPTURE_MOUNT_PCAP_DIR)}") run_process(f"umount {os.path.join(CAPTURE_MOUNT_ROOT_PATH, CAPTURE_MOUNT_ZEEK_DIR)}") run_process(f"umount {CAPTURE_MOUNT_ROOT_PATH}") @@ -212,7 +214,7 @@ def main(): if debug: for line in cryptOut: eprint(f"\t{line}") - _, reloadOut = run_process(f"systemctl daemon-reload") + _, reloadOut = run_process("systemctl daemon-reload") # check existing mounts, if the capture path(s) are already mounted, then abort with open('/proc/mounts', 'r') as f: @@ -225,7 +227,7 @@ def main(): f"It appears there is already a device mounted under {CAPTURE_MOUNT_ROOT_PATH} at {mountPoint}." ) eprint( - f"If you wish to continue, you may run this script with the '-u|--umount' option to umount first." + "If you wish to continue, you may run this script with the '-u|--umount' option to umount first." ) eprint() parser.print_help() @@ -234,7 +236,7 @@ def main(): # get physical disks, partitions, device maps, and any mountpoints and UUID associated allDisks = defaultdict(list) if debug: - eprint(f"Block devices:") + eprint("Block devices:") for device in GetInternalDevices(): ecode, deviceTree = run_process( f'/bin/lsblk -o name,uuid,mountpoint --paths --noheadings /dev/{device}', stdout=True, stderr=False @@ -308,7 +310,6 @@ def main(): eprint(f"Device candidates: {[(x, sizeof_fmt(GetDeviceSize(x))) for x in candidateDevs]}") if len(candidateDevs) > 0: - if args.encrypt: # create keyfile (will be on the encrypted system drive, and used to automatically unlock the encrypted capture drives) with open(CAPTURE_CRYPT_KEYFILE, 'wb') as f: @@ -318,7 +319,6 @@ def main(): # partition/format each candidate device for device in candidateDevs: - # we only need at most two drives (one for pcap, one for zeek), or at least one if len(formattedDevs) >= 2: break @@ -326,7 +326,6 @@ def main(): if (not args.interactive) or YesOrNo( f'Partition and format {device}{" (dry-run)" if args.dryrun else ""}?' ): - if args.dryrun: eprint(f"Partitioning {device} (dry run only)...") eprint( @@ -366,7 +365,6 @@ def main(): pars.append(match.group('device')) if len(pars) == 1: - parDev = pars[0] parUuid = str(uuid.uuid4()) parMapperDev = None @@ -386,7 +384,7 @@ def main(): else: print(line) - _, reloadOut = run_process(f"systemctl daemon-reload") + _, reloadOut = run_process("systemctl daemon-reload") # for good measure, run luksErase in case it was a previous luks volume if debug: @@ -401,7 +399,7 @@ def main(): for line in cryptOut: eprint(f"\t{line}") - _, reloadOut = run_process(f"systemctl daemon-reload") + _, reloadOut = run_process("systemctl daemon-reload") # luks volume creation @@ -418,7 +416,6 @@ def main(): for line in cryptOut: eprint(f"\t{line}") if ecode == 0: - # open the luks volume in /dev/mapper/ if debug: eprint(f"Running crypsetup luksOpen on {device}...") @@ -468,7 +465,9 @@ def main(): ) else: - eprint(f"Error {ecode} formatting {formatPath}, giving up on {device}") + eprint( + f"Error {ecode} formatting {parMapperDev if args.encrypt else parDev}, giving up on {device}" + ) else: eprint( @@ -494,7 +493,7 @@ def main(): run_process(f"umount {os.path.join(CAPTURE_MOUNT_ROOT_PATH, CAPTURE_MOUNT_ZEEK_DIR)}") run_process(f"umount {CAPTURE_MOUNT_ROOT_PATH}") - _, reloadOut = run_process(f"systemctl daemon-reload") + _, reloadOut = run_process("systemctl daemon-reload") # clean out any previous fstab entries that might be interfering from previous configurations if Fstab.remove_by_mountpoint(os.path.join(CAPTURE_MOUNT_ROOT_PATH, CAPTURE_MOUNT_PCAP_DIR), path=FSTAB_FILE): @@ -512,7 +511,7 @@ def main(): eprint(f"Removed previous {CAPTURE_MOUNT_ROOT_PATH} mount from {FSTAB_FILE}") # reload tab files with systemctl - _, reloadOut = run_process(f"systemctl daemon-reload") + _, reloadOut = run_process("systemctl daemon-reload") # get the GID of the group of the user(s) that will be doing the capture try: @@ -521,7 +520,7 @@ def main(): netdevGuid = int(guidGetOut[0].split(':')[2]) else: netdevGuid = -1 - except: + except Exception: netdevGuid = -1 # rmdir any mount directories that might be interfering from previous configurations @@ -558,7 +557,7 @@ def main(): entry = Fstab.add( device=f"{par.mapper}", mountpoint=par.mount, - options=f"defaults,inode64,noatime,rw,auto,user,x-systemd.device-timeout=600s", + options="defaults,inode64,noatime,rw,auto,user,x-systemd.device-timeout=600s", fs_passno=2, filesystem='xfs', path=FSTAB_FILE, @@ -567,7 +566,7 @@ def main(): entry = Fstab.add( device=f"UUID={par.uuid}", mountpoint=par.mount, - options=f"defaults,inode64,noatime,rw,auto,user,x-systemd.device-timeout=600s", + options="defaults,inode64,noatime,rw,auto,user,x-systemd.device-timeout=600s", fs_passno=2, filesystem='xfs', path=FSTAB_FILE, @@ -575,11 +574,10 @@ def main(): eprint(f'Added "{entry}" to {FSTAB_FILE} for {par.partition}') # reload tab files with systemctl - _, reloadOut = run_process(f"systemctl daemon-reload") + _, reloadOut = run_process("systemctl daemon-reload") # mount the partitions and create a directory with user permissions for par in formattedDevs: - ecode, mountOut = run_process(f"mount {par.mount}") if ecode == 0: if debug: @@ -629,7 +627,7 @@ def main(): eprint(f"Error {ecode} mounting {par.partition}") else: - eprint(f"Could not find any unmounted devices greater than 100GB, giving up") + eprint("Could not find any unmounted devices greater than 100GB, giving up") if __name__ == '__main__': diff --git a/shared/bin/sensorcommon.py b/shared/bin/sensorcommon.py index 409fe0c77..19d97f3ff 100644 --- a/shared/bin/sensorcommon.py +++ b/shared/bin/sensorcommon.py @@ -9,20 +9,21 @@ import os import socket import ssl -import subprocess import sys import urllib.request +import subprocess from base64 import b64encode from bs4 import BeautifulSoup from bs4.element import Comment -from contextlib import closing from http.client import HTTPSConnection, HTTPConnection -from multiprocessing import RawValue -from threading import Lock +from subprocess import PIPE, STDOUT, Popen, CalledProcessError + +from malcolm_utils import run_subprocess NIC_BLINK_SECONDS = 10 + ################################################################################################### class CancelledError(Exception): """Raised when user cancels the operation""" @@ -44,91 +45,6 @@ def clearquit(): sys.exit(0) -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) - - -################################################################################################### -# urlencode each character of a string -def aggressive_url_encode(string): - return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string) - - -################################################################################################### -# strip a prefix from the beginning of a string if needed -def remove_prefix(text, prefix): - if (len(prefix) > 0) and text.startswith(prefix): - return text[len(prefix) :] - else: - return text - - -################################################################################################### -# nice human-readable file sizes -def sizeof_fmt(num, suffix='B'): - for unit in ['', 'Ki', 'Mi', 'Gi', 'Ti', 'Pi', 'Ei', 'Zi']: - if abs(num) < 1024.0: - return "%3.1f%s%s" % (num, unit, suffix) - num /= 1024.0 - return "%.1f%s%s" % (num, 'Yi', suffix) - - -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ('yes', 'true', 't', 'y', '1'): - return True - elif v.lower() in ('no', 'false', 'f', 'n', '0'): - return False - else: - raise argparse.ArgumentTypeError('Boolean value expected.') - - -################################################################################################### -# will it float? -def isfloat(value): - try: - float(value) - return True - except ValueError: - return False - - -################################################################################################### -# check a string or list to see if something is a valid IP address -def isipaddress(value): - result = True - try: - if isinstance(value, list) or isinstance(value, tuple) or isinstance(value, set): - for v in value: - ip = ipaddress.ip_address(v) - else: - ip = ipaddress.ip_address(value) - except: - result = False - return result - - -################################################################################################### -# execute a shell process returning its exit code and output -def run_process(command, stdout=True, stderr=False, stdin=None, timeout=60): - retcode = -1 - output = [] - p = subprocess.run( - [command], input=stdin, universal_newlines=True, capture_output=True, shell=True, timeout=timeout - ) - if p: - retcode = p.returncode - if stderr and p.stderr: - output.extend(p.stderr.splitlines()) - if stdout and p.stdout: - output.extend(p.stdout.splitlines()) - - return retcode, output - - def tag_visible(element): if element.parent.name in ['style', 'script', 'head', 'title', 'meta', '[document]']: return False @@ -195,23 +111,11 @@ def test_connection( return status, message, output -################################################################################################### -# test if a remote port is open -def check_socket(host, port): - with closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as sock: - sock.settimeout(10) - if sock.connect_ex((host, port)) == 0: - return True - else: - return False - - ################################################################################################### # determine a list of available (non-virtual) adapters (Iface's) def get_available_adapters(): - available_adapters = [] - _, all_iface_list = run_process("find /sys/class/net/ -mindepth 1 -maxdepth 1 -type l -printf '%P %l\\n'") + _, all_iface_list = run_subprocess("find /sys/class/net/ -mindepth 1 -maxdepth 1 -type l -printf '%P %l\\n'") available_iface_list = [x.split(" ", 1)[0] for x in all_iface_list if 'virtual' not in x] # for each adapter, determine its MAC address and link speed @@ -221,12 +125,12 @@ def get_available_adapters(): try: with open(f"/sys/class/net/{adapter}/address", 'r') as f: mac_address = f.readline().strip() - except: + except Exception: pass try: with open(f"/sys/class/net/{adapter}/speed", 'r') as f: speed = f.readline().strip() - except: + except Exception: pass description = f"{mac_address} ({speed} Mbits/sec)" iface = Iface(adapter, description) @@ -245,7 +149,7 @@ def identify_adapter(adapter, duration=NIC_BLINK_SECONDS, background=False): stderr=subprocess.DEVNULL, ) else: - retCode, _ = run_process( + retCode, _ = run_subprocess( f"/sbin/ethtool --identify {adapter} {duration}", stdout=False, stderr=False, timeout=duration * 2 ) return retCode == 0 diff --git a/shared/bin/service_check_passthrough.sh b/shared/bin/service_check_passthrough.sh index cac188740..80a3142e8 100755 --- a/shared/bin/service_check_passthrough.sh +++ b/shared/bin/service_check_passthrough.sh @@ -51,7 +51,7 @@ while getopts 'vds:p:f:' OPTION; do ;; ?) - echo "script usage: $(basename $0) [-v] [-i input]" >&2 + echo "script usage: $(basename $0) [-v (verbose)] [-d (disabled)] [-s ] [-p ] [-f ]" >&2 exit 1 ;; esac @@ -100,7 +100,7 @@ fi if [[ -n "$SERVICE" ]]; then if [[ -z "$PORT" ]]; then if [[ "$SERVICE" == "api" ]]; then - PORT=500 + PORT=5000 elif [[ "$SERVICE" == "arkime" ]]; then PORT=8005 elif [[ "$SERVICE" == "dashboards" ]]; then @@ -113,25 +113,19 @@ if [[ -n "$SERVICE" ]]; then PORT=10004 elif [[ "$SERVICE" == "logstash" ]]; then PORT=9600 - elif [[ "$SERVICE" == "name-map-ui" ]]; then - PORT=8080 elif [[ "$SERVICE" == "netbox" ]]; then PORT=8080 elif [[ "$SERVICE" == "opensearch" ]]; then PORT=9200 fi fi - if [[ -z "$FORMAT" ]]; then - if [[ "$SERVICE" == "api" ]]; then - FORMAT=json - elif [[ "$SERVICE" == "logstash" ]]; then - FORMAT=json - elif [[ "$SERVICE" == "netbox" ]]; then - FORMAT=json - elif [[ "$SERVICE" == "opensearch" ]]; then - FORMAT=json - fi - fi + [[ -z "$FORMAT" ]] && \ + ([[ "$SERVICE" == "api" ]] || \ + [[ "$SERVICE" == "dashboards-helper" ]] || \ + [[ "$SERVICE" == "freq" ]] || \ + [[ "$SERVICE" == "logstash" ]] || \ + [[ "$SERVICE" == "netbox" ]] || \ + [[ "$SERVICE" == "opensearch" ]]) && FORMAT=json fi [[ -z "$PORT" ]] && PORT=80 [[ -z "$FORMAT" ]] && FORMAT=http diff --git a/shared/bin/suricata_config_populate.py b/shared/bin/suricata_config_populate.py index d5d30406f..85977b525 100755 --- a/shared/bin/suricata_config_populate.py +++ b/shared/bin/suricata_config_populate.py @@ -27,6 +27,8 @@ from shutil import move as MoveFile, copyfile as CopyFile from subprocess import PIPE, Popen +from malcolm_utils import val2bool, deep_set, pushd, run_process + ################################################################################################### args = None script_return_code = 0 @@ -38,129 +40,6 @@ YAML_VERSION = (1, 1) BACKUP_FILES_MAX = 10 -################################################################################################### -def val2bool(v): - try: - if v is None: - return False - elif isinstance(v, bool): - return v - elif isinstance(v, str): - if v.lower() in ("yes", "true", "t", "y"): - return True - elif v.lower() in ("no", "false", "f", "n"): - return False - else: - raise ValueError(f'Boolean value expected (got {v})') - else: - raise ValueError(f'Boolean value expected (got {v})') - except: - # just pitch it back and let the caller worry about it - return v - - -################################################################################################### -@contextlib.contextmanager -def pushd(directory): - prevDir = os.getcwd() - os.chdir(directory) - try: - yield - finally: - os.chdir(prevDir) - - -################################################################################################### -def get_iterable(x): - if isinstance(x, Iterable) and not isinstance(x, str): - return x - else: - return (x,) - - -################################################################################################### -def deep_get(d, keys, default=None): - k = get_iterable(keys) - if d is None: - return default - if not keys: - return d - return deep_get(d.get(k[0]), k[1:], default) - - -################################################################################################### -def deep_set(d, keys, value, deleteIfNone=False): - k = get_iterable(keys) - for key in k[:-1]: - if (key not in d) or (not isinstance(d[key], dict)): - d[key] = dict() - d = d[key] - d[k[-1]] = value - if (deleteIfNone == True) and (value is None): - d.pop(k[-1], None) - - -################################################################################################### -# run command with arguments and return its exit code, stdout, and stderr -def check_output_input(*popenargs, **kwargs): - - if 'stdout' in kwargs: - raise ValueError('stdout argument not allowed, it will be overridden') - - if 'stderr' in kwargs: - raise ValueError('stderr argument not allowed, it will be overridden') - - if 'input' in kwargs and kwargs['input']: - if 'stdin' in kwargs: - raise ValueError('stdin and input arguments may not both be used') - inputdata = kwargs['input'] - kwargs['stdin'] = PIPE - else: - inputdata = None - kwargs.pop('input', None) - - process = Popen(*popenargs, stdout=PIPE, stderr=PIPE, **kwargs) - try: - output, errput = process.communicate(input=inputdata) - except: - process.kill() - process.wait() - raise - - retcode = process.poll() - - return retcode, output, errput - - -################################################################################################### -# run command with arguments and return its exit code and output -def run_process(command, stdout=True, stderr=True, stdin=None, cwd=None, env=None): - - retcode = -1 - output = [] - - try: - # run the command - retcode, cmdout, cmderr = check_output_input(command, input=stdin.encode() if stdin else None, cwd=cwd, env=env) - - # split the output on newlines to return a list - if stderr and (len(cmderr) > 0): - output.extend(cmderr.decode(sys.getdefaultencoding()).split('\n')) - if stdout and (len(cmdout) > 0): - output.extend(cmdout.decode(sys.getdefaultencoding()).split('\n')) - - except (FileNotFoundError, OSError, IOError) as e: - if stderr: - output.append("Command {} not found or unable to execute".format(command)) - - logging.debug( - "{}{} returned {}: {}".format( - command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output - ) - ) - - return retcode, output - ################################################################################################### # run command with arguments and return its exit code and output @@ -173,7 +52,7 @@ def __call__(self, repr, data): ################################################################################################### def ObjToYamlStrLines(obj, options=None): outputStr = None - if options == None: + if options is None: options = {} yaml = YAML() @@ -641,13 +520,14 @@ def ObjToYamlStrLines(obj, options=None): } ) + ################################################################################################### def GetRuleSources(requireRulesExist=False): global DEFAULT_VARS ruleSources = [] - if val2bool(DEFAULT_VARS['CUSTOM_RULES_ONLY']) == False: + if not val2bool(DEFAULT_VARS['CUSTOM_RULES_ONLY']): ruleSources.append('suricata.rules') customRuleFiles = ( @@ -656,7 +536,7 @@ def GetRuleSources(requireRulesExist=False): else [] ) - if (DEFAULT_VARS['CUSTOM_RULES_DIR'] is not None) and ((requireRulesExist == False) or (len(customRuleFiles) > 0)): + if (DEFAULT_VARS['CUSTOM_RULES_DIR'] is not None) and ((not requireRulesExist) or (len(customRuleFiles) > 0)): ruleSources.append(os.path.join(DEFAULT_VARS['CUSTOM_RULES_DIR'], '*.rules')) return ruleSources @@ -844,7 +724,6 @@ def main(): # while we're here, configure the eve-log section of outputs if name == 'eve-log': - # enable community-id for easier cross-referencing and pcap-file for # tying back to the original PCAP filename cfg['outputs'][outputIdx][name]['community-id'] = True @@ -852,7 +731,6 @@ def main(): # configure the various different output types belonging to eve-log if 'types' in cfg['outputs'][outputIdx][name]: - remainingTypes = set(list(PROTOCOL_CONFIGS.keys())) for dumperIdx in reversed(range(len(cfg['outputs'][outputIdx][name]['types']))): @@ -1218,7 +1096,9 @@ def main(): '-l', tmpLogDir, '-T', - ] + ], + debug=args.verbose > logging.DEBUG, + logger=logging, ) logging.info(f'suricata configuration test returned {script_return_code}') if script_return_code != 0: @@ -1247,11 +1127,11 @@ def main(): if DEFAULT_VARS['RUN_DIR'] is not None and os.path.isdir(os.path.join(DEFAULT_VARS['RUN_DIR'])): try: os.remove(os.path.join(DEFAULT_VARS['RUN_DIR'], 'suricata.pid')) - except: + except Exception: pass try: os.remove(os.path.join(DEFAULT_VARS['RUN_DIR'], 'suricata-command.socket')) - except: + except Exception: pass diff --git a/shared/bin/suricata_update_config_populate.py b/shared/bin/suricata_update_config_populate.py index b51afb146..6dda3c649 100755 --- a/shared/bin/suricata_update_config_populate.py +++ b/shared/bin/suricata_update_config_populate.py @@ -27,6 +27,8 @@ from shutil import move as MoveFile, copyfile as CopyFile from subprocess import PIPE, Popen +from malcolm_utils import val2bool + ################################################################################################### args = None script_return_code = 0 @@ -38,67 +40,6 @@ YAML_VERSION = (1, 1) BACKUP_FILES_MAX = 10 -################################################################################################### -def val2bool(v): - try: - if v is None: - return False - elif isinstance(v, bool): - return v - elif isinstance(v, str): - if v.lower() in ("yes", "true", "t", "y"): - return True - elif v.lower() in ("no", "false", "f", "n"): - return False - else: - raise ValueError(f'Boolean value expected (got {v})') - else: - raise ValueError(f'Boolean value expected (got {v})') - except: - # just pitch it back and let the caller worry about it - return v - - -################################################################################################### -@contextlib.contextmanager -def pushd(directory): - prevDir = os.getcwd() - os.chdir(directory) - try: - yield - finally: - os.chdir(prevDir) - - -################################################################################################### -def get_iterable(x): - if isinstance(x, Iterable) and not isinstance(x, str): - return x - else: - return (x,) - - -################################################################################################### -def deep_get(d, keys, default=None): - k = get_iterable(keys) - if d is None: - return default - if not keys: - return d - return deep_get(d.get(k[0]), k[1:], default) - - -################################################################################################### -def deep_set(d, keys, value, deleteIfNone=False): - k = get_iterable(keys) - for key in k[:-1]: - if (key not in d) or (not isinstance(d[key], dict)): - d[key] = dict() - d = d[key] - d[k[-1]] = value - if (deleteIfNone == True) and (value is None): - d.pop(k[-1], None) - ################################################################################################### # run command with arguments and return its exit code and output @@ -111,7 +52,7 @@ def __call__(self, repr, data): ################################################################################################### def ObjToYamlStrLines(obj, options=None): outputStr = None - if options == None: + if options is None: options = {} yaml = YAML() @@ -221,7 +162,6 @@ def main(): args.output if args.output else args.input if args.inplace else inFileParts[0] + "_new" + inFileParts[1] ) - argsOrigVerbose = args.verbose args.verbose = logging.CRITICAL - (10 * args.verbose) if args.verbose > 0 else 0 logging.basicConfig( level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S' diff --git a/shared/bin/watch_common.py b/shared/bin/watch_common.py new file mode 100644 index 000000000..17caa9300 --- /dev/null +++ b/shared/bin/watch_common.py @@ -0,0 +1,339 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import os +import json +import logging +import time + +from malcolm_utils import AtomicInt, ContextLockedOrderedDict, same_file_or_dir + +from watchdog.events import ( + FileSystemEventHandler, + FileMovedEvent, + FileModifiedEvent, + FileCreatedEvent, + FileClosedEvent, + FileOpenedEvent, + FileDeletedEvent, +) + +from multiprocessing.pool import ThreadPool +from threading import get_native_id +from watchdog.utils import WatchdogShutdown +from watchdog.observers import Observer +from watchdog.observers.polling import PollingObserver +from collections import namedtuple, defaultdict, OrderedDict + +ASSUME_CLOSED_SEC_DEFAULT = 10 + +OperationEvent = namedtuple("OperationEvent", ["timestamp", "operation", "size"], rename=False) + + +################################################################################################### +class FileOperationEventHandler(FileSystemEventHandler): + def __init__( + self, + logger, + polling, + *args, + **kwargs, + ): + super().__init__(*args, **kwargs) + self.polling = polling + self.logger = logger if logger else logging + self.workerPid = get_native_id() + self.updateTime() + # self.deck is a dictionary mapping filenames to a list of OperationEvent of length n, + # with [0] being the oldest timestamp/operation and [n-1] being the newest + # timestamp/operation. + # In self.deck itself, items at the first (idx=0) of this OrderedDict are the + # oldest, items at the last (idx=len-1) are the newest. + self.deck = ContextLockedOrderedDict() + # because of the pain in the butt that is the fact that we get the modify events + # on attributes-only changes (see below where I set fSize), if events show up + # for files and we've ONLY seen open and/or attribute-only modify events (i.e., + # the size doesn't change) then we're just going to hold on to them here in + # self.modDeck until we promote them to self.deck for processing. + # Once gorakhargosh/watchdog#800 is pulled (resolving gorakhargosh/watchdog#260) + # we can get rid of this complication and just ignore attribute-only events. + self.modDeck = OrderedDict() + + def done(self): + return True + + def updateTime(self): + self.nowTime = int(time.time()) + + def on_any_event(self, event): + fName = None + if not event.is_directory: + self.updateTime() + + # if this is a move event, we need to track the old and new filenames + if isinstance(event, FileMovedEvent): + fName = event.dest_path + fNameOld = event.src_path + self.logger.debug(f"↦\t{event.event_type: >10}\t{event.src_path} {event.dest_path}\t{self.workerPid}") + else: + fName = event.src_path + fNameOld = None + self.logger.debug(f"🗲\t{event.event_type: <10}\t{event.src_path}\t{self.workerPid}") + + # This is a pain, but due to this watchdog issue (see + # https://github.com/gorakhargosh/watchdog/issues/260 and + # https://github.com/gorakhargosh/watchdog/pull/800) + # we get FileModifiedEvent triggered for metadata-only changes + # even if content has not changed (e.g., file access time). + # So for now, if we detect a file has been modified but the size + # hasn't changed, we will ignore that event. + try: + fSize = os.path.getsize(fName) + except Exception: + fSize = 0 + + # FileClosedEvent is only going to come from inotify events, not polling + # so we know we're good to go (a FileClosedEvent signals we can process the + # file immediately). We can signal this by setting the timestamp to 0. + newOpLog = OperationEvent( + self.nowTime if (not isinstance(event, FileClosedEvent)) else 0, + event.event_type, + fSize, + ) + noop = False + + with self.deck as d: + try: + deckInserted = d + + if fNameOld and same_file_or_dir(os.path.dirname(fNameOld), os.path.dirname(fName)): + # a file was simply renamed in the watched directory (not moved + # from some other directory) so remove the old filename from our list + # and a new one will get added + d.pop(fNameOld, None) + self.modDeck.pop(fNameOld, None) + + # insert or update file event(s) + + if fName in d: + # this is a file we're already currently tracking in main deck + + # see comment about fSize above (FileModifiedEvent only counts if the file size is changed) + if ( + isinstance(event, FileModifiedEvent) + and (newOpLog.size > 0) + and (len(d[fName]) > 0) + and (newOpLog.size == d[fName][-1].size) + ): + # don't do *anything*, leave the entry untouched in the list + noop = True + + elif (len(d[fName]) > 0) and (d[fName][-1].operation == event.event_type): + # if the previous operation (the last one in the history) was the same as this one, + # replace the operation rather than appending a new one (effectively just updating the timestamp) + if (newOpLog.timestamp > d[fName][-1].timestamp) or (newOpLog.size != d[fName][-1].size): + d[fName][-1] = newOpLog + + else: + # otherwise append a new history item + d[fName].append(newOpLog) + + elif fName in self.modDeck: + # we've seen this entry before, but it's in the staging modDeck + + modifyOpSizes = [ + optLog.size for optLog in self.modDeck[fName] if optLog.operation == "modified" + ] + # promote to main deck if either: + # - this is something more than just an open/modify attribute event OR + # - this is a modified event, but the size is different now so it is an actual modification + if (not isinstance(event, FileOpenedEvent) and not isinstance(event, FileModifiedEvent)) or ( + isinstance(event, FileModifiedEvent) + and (len(modifyOpSizes) > 0) + and (newOpLog.size > 0) + and (newOpLog.size != modifyOpSizes[-1]) + ): + # promote what's already in modDec to the real deck, then append this new history item + self.logger.debug(f"𝦸\t{event.event_type: <10}\t{fName}\t{self.workerPid}") + d[fName] = self.modDeck.pop(fName) + d[fName].append(newOpLog) + + else: + # this is a file we were not previously tracking at all, in either deck + + if isinstance(event, FileOpenedEvent) or isinstance(event, FileModifiedEvent): + # this is the very first time we've seen this file, if this + # is "open" or "modified" with no other context yet then + # put it in modDec until it shows up like a real modification + deckInserted = self.modDeck + + deckInserted[fName] = [newOpLog] + + # move the file to the appropriate end of its deck, if needed + if not noop: + if ( + isinstance(event, FileModifiedEvent) + or isinstance(event, FileClosedEvent) + or isinstance(event, FileCreatedEvent) + or isinstance(event, FileMovedEvent) + ): + # put FileClosedEvent events (which now have a timestamp of 0) at the front of + # the deck (to be processed first), and others to the back + deckInserted.move_to_end(fName, last=deckInserted[fName][-1].timestamp > 0) + + elif isinstance(event, FileDeletedEvent): + # if a file is deleted I guess we don't need to track it any more + d.pop(fName, None) + self.modDeck.pop(fName, None) + fName = None + + else: + noop = True + + if noop: + self.logger.debug(f"🗑\t{event.event_type: <10}\t{fName}\t{self.workerPid}") + + elif fName: + if fName in d: + self.logger.debug(f"➊\t{fName}\t{json.dumps(d[fName])}\t{self.workerPid}") + if fName in self.modDeck: + self.logger.debug(f"➋\t{fName}\t{json.dumps(self.modDeck[fName])}\t{self.workerPid}") + + except Exception as e: + self.logger.error(f"⨳\t{fName}\t{e}\t{self.workerPid}") + + +################################################################################################### +def ProcessFileEventWorker(workerArgs): + ( + handler, + observer, + fileProcessor, + fileProcessorKwargs, + assumeClosedSec, + workerThreadCount, + shutDown, + logger, + ) = ( + workerArgs[0], + workerArgs[1], + workerArgs[2], + workerArgs[3], + workerArgs[4], + workerArgs[5], + workerArgs[6], + workerArgs[7], + ) + if not logger: + logger = logging + + with workerThreadCount as workerId: + workerPid = get_native_id() + logger.info(f"۞\tstarted\t[{workerPid}:{workerId}]") + + sleepInterval = 0.5 + while (not shutDown[0]) and observer.is_alive(): + time.sleep(sleepInterval) + sleepInterval = min(sleepInterval + 1.0, 5.0) + + nowTime = int(time.time()) + + with handler.deck as d: + for fileName, fileHistory in list(d.items()): + logger.debug(f"⏿ checking {fileName}\t{json.dumps(fileHistory)}\t[{workerPid}:{workerId}]") + + if len(fileHistory) > 0: + if nowTime < fileHistory[-1].timestamp + assumeClosedSec: + # we can break because the list is ordered + logger.debug( + f"⎊\tbreaking early because {nowTime} < {fileHistory[-1].timestamp + assumeClosedSec}\t[{workerPid}:{workerId}]" + ) + break + + elif ( + # - If we're polling, rely on the timestamp comparison done above and process this file + handler.polling + # - If we're not polling, but we have a timestamp == 0, then we had a FileClosedEvent and can be processed + or (fileHistory[-1].timestamp == 0) + # - If we're not polling, and the item has expired (timestamp comparison done above) and the only items + # in this item's history are "created" or "moved" then this was atomically moved in from another directory + # on the same filesystem and should be processed now + or ( + not any( + set([x.operation for x in fileHistory if x.operation not in ('created', 'moved')]) + ) + ) + ): + del d[fileName] + if fileProcessor is not None: + extraArgs = ( + fileProcessorKwargs + if fileProcessorKwargs and isinstance(fileProcessorKwargs, dict) + else {} + ) + fileProcessor( + fileName, + **extraArgs, + ) + logger.info( + f"🖄\tprocessed\t{fileName} at {(nowTime-fileHistory[-1].timestamp) if (fileHistory[-1].timestamp > 0) else 0} seconds\t[{workerPid}:{workerId}]" + ) + sleepInterval = 0.5 + + time.sleep(1) + logger.info(f"⛒\tfinished\t[{workerPid}:{workerId}]") + + +def WatchAndProcessDirectory( + directories, + polling, + fileProcessor, + fileProcessorKwargs, + assumeClosedSec, + shuttingDown, + logger, +): + observer = PollingObserver() if polling else Observer() + loggerToUse = logger if logger else logging + handler = FileOperationEventHandler( + logger=loggerToUse, + polling=polling, + ) + for directory in directories: + loggerToUse.info(f"🗐\tScheduling {directory}") + observer.schedule(handler, directory, recursive=True) + + observer.start() + try: + workerThreadCount = AtomicInt(value=0) + ThreadPool( + 1, + ProcessFileEventWorker( + [ + handler, + observer, + fileProcessor, + fileProcessorKwargs, + assumeClosedSec, + workerThreadCount, + shuttingDown, + loggerToUse, + ], + ), + ) + + while (not shuttingDown[0]) and observer.is_alive(): + observer.join(1) + + if shuttingDown[0]: + raise WatchdogShutdown() + + except WatchdogShutdown: + observer.unschedule_all() + + finally: + observer.stop() + observer.join() + + while workerThreadCount.value() > 0: + time.sleep(1) diff --git a/shared/bin/zeek_carve_logger.py b/shared/bin/zeek_carve_logger.py index 56b188f5b..0f2e0f884 100755 --- a/shared/bin/zeek_carve_logger.py +++ b/shared/bin/zeek_carve_logger.py @@ -10,9 +10,9 @@ ################################################################################################### import argparse -import datetime import json import os +import logging import pathlib import re import shutil @@ -24,12 +24,29 @@ from collections import defaultdict from contextlib import nullcontext from datetime import datetime -from zeek_carve_utils import * + +from zeek_carve_utils import ( + BroSignatureLine, + extracted_filespec_to_fields, + FILE_SCAN_RESULT_DESCRIPTION, + FILE_SCAN_RESULT_ENGINES, + FILE_SCAN_RESULT_FILE, + FILE_SCAN_RESULT_HITS, + FILE_SCAN_RESULT_MESSAGE, + FILE_SCAN_RESULT_SCANNER, + PRESERVE_ALL, + PRESERVE_NONE, + PRESERVE_PRESERVED_DIR_NAME, + PRESERVE_QUARANTINED, + PRESERVE_QUARANTINED_DIR_NAME, + SINK_PORT, + ZEEK_SIGNATURE_NOTICE, +) + +import malcolm_utils +from malcolm_utils import str2bool, AtomicInt, same_file_or_dir ################################################################################################### -debug = False -verboseDebug = False -debugToggled = False pdbFlagged = False args = None scriptName = os.path.basename(__file__) @@ -37,6 +54,7 @@ origPath = os.getcwd() shuttingDown = False + ################################################################################################### # handle sigint/sigterm and set a global shutdown variable def shutdown_handler(signum, frame): @@ -51,58 +69,15 @@ def pdb_handler(sig, frame): pdbFlagged = True -################################################################################################### -# handle sigusr2 for toggling debug -def debug_toggle_handler(signum, frame): - global debug - global debugToggled - debug = not debug - debugToggled = True - - -################################################################################################### -# -def same_file_or_dir(path1, path2): - try: - return os.path.samefile(path1, path2) - except: - return False - - ################################################################################################### # main def main(): global args - global debug - global verboseDebug - global debugToggled global pdbFlagged global shuttingDown parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) - parser.add_argument( - '-v', - '--verbose', - dest='debug', - help="Verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) - parser.add_argument( - '--extra-verbose', - dest='verboseDebug', - help="Super verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) + parser.add_argument('--verbose', '-v', action='count', default=1, help='Increase verbosity (e.g., -v, -vv, etc.)') parser.add_argument( '--start-sleep', dest='startSleepSec', @@ -147,13 +122,14 @@ def main(): parser.print_help() exit(2) - verboseDebug = args.verboseDebug - debug = args.debug or verboseDebug - if debug: - eprint(os.path.join(scriptPath, scriptName)) - eprint("{} arguments: {}".format(scriptName, sys.argv[1:])) - eprint("{} arguments: {}".format(scriptName, args)) - else: + args.verbose = logging.ERROR - (10 * args.verbose) if args.verbose > 0 else 0 + logging.basicConfig( + level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S' + ) + logging.info(os.path.join(scriptPath, scriptName)) + logging.info("Arguments: {}".format(sys.argv[1:])) + logging.info("Arguments: {}".format(args)) + if args.verbose > logging.DEBUG: sys.tracebacklimit = 0 # determine what to do with scanned files (preserve only "hits", preserve all, preserve none) @@ -161,14 +137,13 @@ def main(): if len(args.preserveMode) == 0: args.preserveMode = PRESERVE_QUARANTINED elif args.preserveMode not in [PRESERVE_QUARANTINED, PRESERVE_ALL, PRESERVE_NONE]: - eprint(f'Invalid file preservation mode "{args.preserveMode}"') + logging.error(f'Invalid file preservation mode "{args.preserveMode}"') sys.exit(1) # handle sigint and sigterm for graceful shutdown signal.signal(signal.SIGINT, shutdown_handler) signal.signal(signal.SIGTERM, shutdown_handler) signal.signal(signal.SIGUSR1, pdb_handler) - signal.signal(signal.SIGUSR2, debug_toggle_handler) # sleep for a bit if requested sleepCount = 0 @@ -190,12 +165,10 @@ def main(): quarantineDir = os.path.join(args.baseDir, PRESERVE_QUARANTINED_DIR_NAME) preserveDir = os.path.join(args.baseDir, PRESERVE_PRESERVED_DIR_NAME) if (args.preserveMode != PRESERVE_NONE) and (not os.path.isdir(quarantineDir)): - if debug: - eprint(f'Creating "{quarantineDir}" for quarantined files') + logging.info(f'Creating "{quarantineDir}" for quarantined files') pathlib.Path(quarantineDir).mkdir(parents=False, exist_ok=True) if (args.preserveMode == PRESERVE_ALL) and (not os.path.isdir(preserveDir)): - if debug: - eprint(f'Creating "{preserveDir}" for other preserved files') + logging.info(f'Creating "{preserveDir}" for other preserved files') pathlib.Path(preserveDir).mkdir(parents=False, exist_ok=True) # initialize ZeroMQ context and socket(s) to send messages to @@ -207,8 +180,7 @@ def main(): scanned_files_socket.SNDTIMEO = 5000 scanned_files_socket.RCVTIMEO = 5000 - if debug: - eprint(f"{scriptName}: bound sink port {SINK_PORT}") + logging.info(f"{scriptName}: bound sink port {SINK_PORT}") scanners = set() fileScanCounts = defaultdict(AtomicInt) @@ -235,7 +207,6 @@ def main(): print(f'#types\t{BroSignatureLine.signature_types_line()}', file=broSigFile, end='\n') while not shuttingDown: - if pdbFlagged: pdbFlagged = False breakpoint() @@ -243,28 +214,24 @@ def main(): triggered = False try: scanResult = json.loads(scanned_files_socket.recv_string()) - if debug: - eprint(f"{scriptName}:\t📨\t{scanResult}") - except zmq.Again as timeout: + logging.info(f"{scriptName}:\t📨\t{scanResult}") + except zmq.Again: + # no file received due to timeout, we'll go around and try again scanResult = None - if verboseDebug: - eprint(f"{scriptName}:\t🕑\t(recv)") if isinstance(scanResult, dict): - # register/deregister scanners if FILE_SCAN_RESULT_SCANNER in scanResult: scanner = scanResult[FILE_SCAN_RESULT_SCANNER].lower() if scanner.startswith('-'): - if debug: - eprint(f"{scriptName}:\t🙃\t{scanner[1:]}") + logging.info(f"{scriptName}:\t🙃\t{scanner[1:]}") try: scanners.remove(scanner[1:]) except KeyError: pass else: - if debug and (scanner not in scanners): - eprint(f"{scriptName}:\t🇷\t{scanner}") + if scanner not in scanners: + logging.info(f"{scriptName}:\t🇷\t{scanner}") scanners.add(scanner) # process scan results @@ -279,7 +246,6 @@ def main(): FILE_SCAN_RESULT_DESCRIPTION, ) ): - triggered = scanResult[FILE_SCAN_RESULT_HITS] > 0 fileName = scanResult[FILE_SCAN_RESULT_FILE] fileNameBase = os.path.basename(fileName) @@ -318,25 +284,21 @@ def main(): # finally, what to do with the file itself if os.path.isfile(fileName): - # once all of the scanners have had their turn... if fileScanCount >= len(scanners): fileScanCounts.pop(fileNameBase, None) fileScanHits.pop(fileNameBase, None) if (fileScanHitCount > 0) and (args.preserveMode != PRESERVE_NONE): - # move triggering file to quarantine if not same_file_or_dir( fileName, os.path.join(quarantineDir, fileNameBase) ): # unless it's somehow already there - try: shutil.move(fileName, quarantineDir) - if debug: - eprint(f"{scriptName}:\t⏩\t{fileName} ({fileScanCount}/{len(scanners)})") + logging.info(f"{scriptName}:\t⏩\t{fileName} ({fileScanCount}/{len(scanners)})") except Exception as e: - eprint(f"{scriptName}:\t❗\t🚫\t{fileName} move exception: {e}") + logging.warning(f"{scriptName}:\t❗\t🚫\t{fileName} move exception: {e}") # hm move failed, delete it i guess? os.remove(fileName) @@ -344,29 +306,25 @@ def main(): if not same_file_or_dir( quarantineDir, os.path.dirname(fileName) ): # don't move or delete if it's somehow already quarantined - if args.preserveMode == PRESERVE_ALL: # move non-triggering file to preserved directory try: shutil.move(fileName, preserveDir) - if verboseDebug: - eprint( - f"{scriptName}:\t⏩\t{fileName} ({fileScanCount}/{len(scanners)})" - ) + logging.debug( + f"{scriptName}:\t⏩\t{fileName} ({fileScanCount}/{len(scanners)})" + ) except Exception as e: - eprint(f"{scriptName}:\t❗\t🚫\t{fileName} move exception: {e}") + logging.warning(f"{scriptName}:\t❗\t🚫\t{fileName} move exception: {e}") # hm move failed, delete it i guess? os.remove(fileName) else: # delete the file os.remove(fileName) - if verboseDebug: - eprint(f"{scriptName}:\t🚫\t{fileName} ({fileScanCount}/{len(scanners)})") + logging.debug(f"{scriptName}:\t🚫\t{fileName} ({fileScanCount}/{len(scanners)})") # graceful shutdown - if debug: - eprint(f"{scriptName}: shutting down...") + logging.info(f"{scriptName}: shutting down...") if __name__ == '__main__': diff --git a/shared/bin/zeek_carve_scanner.py b/shared/bin/zeek_carve_scanner.py index ae92ff304..35d56f7bd 100755 --- a/shared/bin/zeek_carve_scanner.py +++ b/shared/bin/zeek_carve_scanner.py @@ -15,18 +15,49 @@ import pathlib import json import signal +import logging import sys import threading import time import zmq -from zeek_carve_utils import * from multiprocessing.pool import ThreadPool +from zeek_carve_utils import ( + AnalyzerResult, + AnalyzerScan, + BroSignatureLine, + CapaScan, + CarvedFileSubscriberThreaded, + ClamAVScan, + extracted_filespec_to_fields, + FILE_SCAN_RESULT_DESCRIPTION, + FILE_SCAN_RESULT_ENGINES, + FILE_SCAN_RESULT_FILE, + FILE_SCAN_RESULT_FILE_SIZE, + FILE_SCAN_RESULT_HITS, + FILE_SCAN_RESULT_MESSAGE, + FILE_SCAN_RESULT_SCANNER, + FILE_SCAN_RESULT_FILE_TYPE, + FileScanProvider, + PRESERVE_ALL, + PRESERVE_NONE, + PRESERVE_PRESERVED_DIR_NAME, + PRESERVE_QUARANTINED, + PRESERVE_QUARANTINED_DIR_NAME, + SINK_PORT, + VENTILATOR_PORT, + VirusTotalSearch, + YARA_CUSTOM_RULES_DIR, + YARA_RULES_DIR, + YaraScan, + ZEEK_SIGNATURE_NOTICE, +) +import malcolm_utils +from malcolm_utils import eprint, str2bool, AtomicInt + + ################################################################################################### -debug = False -verboseDebug = False -debugToggled = False pdbFlagged = False args = None scriptName = os.path.basename(__file__) @@ -35,6 +66,7 @@ shuttingDown = False scanWorkersCount = AtomicInt(value=0) + ################################################################################################### # handle sigint/sigterm and set a global shutdown variable def shutdown_handler(signum, frame): @@ -49,20 +81,9 @@ def pdb_handler(sig, frame): pdbFlagged = True -################################################################################################### -# handle sigusr2 for toggling debug -def debug_toggle_handler(signum, frame): - global debug - global debugToggled - debug = not debug - debugToggled = True - - ################################################################################################### # look for a file to scan (probably in its original directory, but possibly already moved to quarantine) def locate_file(fileInfo): - global verboseDebug - if isinstance(fileInfo, dict) and (FILE_SCAN_RESULT_FILE in fileInfo): fileName = fileInfo[FILE_SCAN_RESULT_FILE] elif isinstance(fileInfo, str): @@ -71,7 +92,6 @@ def locate_file(fileInfo): fileName = None if fileName is not None: - if os.path.isfile(fileName): return fileName @@ -81,8 +101,7 @@ def locate_file(fileInfo): os.path.join(os.path.dirname(os.path.realpath(fileName)), testPath), os.path.basename(fileName) ) if os.path.isfile(testFileName): - if verboseDebug: - eprint(f"{scriptName}:\t⏩\t{testFileName}") + logging.debug(f"{scriptName}:\t⏩\t{testFileName}") return testFileName return None @@ -90,20 +109,16 @@ def locate_file(fileInfo): ################################################################################################### def scanFileWorker(checkConnInfo, carvedFileSub): - global debug - global verboseDebug global shuttingDown global scanWorkersCount scanWorkerId = scanWorkersCount.increment() # unique ID for this thread scannerRegistered = False - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\tstarted") + logging.info(f"{scriptName}[{scanWorkerId}]:\tstarted") try: if isinstance(checkConnInfo, FileScanProvider): - # initialize ZeroMQ context and socket(s) to send scan results context = zmq.Context() @@ -112,8 +127,7 @@ def scanFileWorker(checkConnInfo, carvedFileSub): scanned_files_socket.connect(f"tcp://localhost:{SINK_PORT}") # todo: do I want to set this? probably not, since what else would we do if we can't send? just block # scanned_files_socket.SNDTIMEO = 5000 - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\tconnected to sink at {SINK_PORT}") + logging.info(f"{scriptName}[{scanWorkerId}]:\tconnected to sink at {SINK_PORT}") fileInfo = None fileName = None @@ -121,7 +135,6 @@ def scanFileWorker(checkConnInfo, carvedFileSub): # loop forever, or until we're told to shut down while not shuttingDown: - # "register" this scanner with the logger while (not scannerRegistered) and (not shuttingDown): try: @@ -129,13 +142,11 @@ def scanFileWorker(checkConnInfo, carvedFileSub): json.dumps({FILE_SCAN_RESULT_SCANNER: checkConnInfo.scanner_name()}) ) scannerRegistered = True - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🇷\t{checkConnInfo.scanner_name()}") + logging.info(f"{scriptName}[{scanWorkerId}]:\t🇷\t{checkConnInfo.scanner_name()}") - except zmq.Again as timeout: + except zmq.Again: # todo: what to do here? - if verboseDebug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🕑\t{checkConnInfo.scanner_name()} 🇷") + logging.debug(f"{scriptName}[{scanWorkerId}]:\t🕑\t{checkConnInfo.scanner_name()} 🇷") if shuttingDown: break @@ -143,8 +154,7 @@ def scanFileWorker(checkConnInfo, carvedFileSub): if retrySubmitFile and (fileInfo is not None) and (locate_file(fileInfo) is not None): # we were unable to submit the file for processing, so try again time.sleep(1) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🔃\t{json.dumps(fileInfo)}") + logging.info(f"{scriptName}[{scanWorkerId}]:\t🔃\t{json.dumps(fileInfo)}") else: retrySubmitFile = False @@ -153,10 +163,8 @@ def scanFileWorker(checkConnInfo, carvedFileSub): fileName = locate_file(fileInfo) if (fileName is not None) and os.path.isfile(fileName): - # file exists, submit for scanning - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🔎\t{json.dumps(fileInfo)}") + logging.info(f"{scriptName}[{scanWorkerId}]:\t🔎\t{json.dumps(fileInfo)}") requestComplete = False scanResult = None fileSize = ( @@ -181,8 +189,7 @@ def scanFileWorker(checkConnInfo, carvedFileSub): ), ) if scan.submissionResponse is not None: - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🔍\t{fileName}") + logging.info(f"{scriptName}[{scanWorkerId}]:\t🔍\t{fileName}") # file was successfully submitted and is now being scanned retrySubmitFile = False @@ -190,13 +197,11 @@ def scanFileWorker(checkConnInfo, carvedFileSub): # todo: maximum time we wait for a single file to be scanned? while (not requestComplete) and (not shuttingDown): - # wait a moment then check to see if the scan is complete time.sleep(scan.provider.check_interval()) response = scan.provider.check_result(scan.submissionResponse) if isinstance(response, AnalyzerResult): - # whether the scan has completed requestComplete = response.finished @@ -229,13 +234,11 @@ def scanFileWorker(checkConnInfo, carvedFileSub): try: # Send results to sink scanned_files_socket.send_string(json.dumps(scan.provider.format(fileName, scanResult))) - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\t✅\t{fileName}") + logging.info(f"{scriptName}[{scanWorkerId}]:\t✅\t{fileName}") - except zmq.Again as timeout: + except zmq.Again: # todo: what to do here? - if verboseDebug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🕑\t{fileName}") + logging.debug(f"{scriptName}[{scanWorkerId}]:\t🕑\t{fileName}") else: eprint(f"{scriptName}[{scanWorkerId}]:\tinvalid scanner provider specified") @@ -248,51 +251,23 @@ def scanFileWorker(checkConnInfo, carvedFileSub): json.dumps({FILE_SCAN_RESULT_SCANNER: f"-{checkConnInfo.scanner_name()}"}) ) scannerRegistered = False - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🙃\t{checkConnInfo.scanner_name()}") - except zmq.Again as timeout: + logging.info(f"{scriptName}[{scanWorkerId}]:\t🙃\t{checkConnInfo.scanner_name()}") + except zmq.Again: # todo: what to do here? - if verboseDebug: - eprint(f"{scriptName}[{scanWorkerId}]:\t🕑\t{checkConnInfo.scanner_name()} 🙃") + logging.debug(f"{scriptName}[{scanWorkerId}]:\t🕑\t{checkConnInfo.scanner_name()} 🙃") - if debug: - eprint(f"{scriptName}[{scanWorkerId}]:\tfinished") + logging.info(f"{scriptName}[{scanWorkerId}]:\tfinished") ################################################################################################### # main def main(): global args - global debug - global debugToggled global pdbFlagged global shuttingDown - global verboseDebug parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) - parser.add_argument( - '-v', - '--verbose', - dest='debug', - help="Verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) - parser.add_argument( - '--extra-verbose', - dest='verboseDebug', - help="Super verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) + parser.add_argument('--verbose', '-v', action='count', default=1, help='Increase verbosity (e.g., -v, -vv, etc.)') parser.add_argument( '--start-sleep', dest='startSleepSec', @@ -389,20 +364,20 @@ def main(): parser.print_help() exit(2) - verboseDebug = args.verboseDebug - debug = args.debug or verboseDebug - if debug: - eprint(os.path.join(scriptPath, scriptName)) - eprint("{} arguments: {}".format(scriptName, sys.argv[1:])) - eprint("{} arguments: {}".format(scriptName, args)) - else: + args.verbose = logging.ERROR - (10 * args.verbose) if args.verbose > 0 else 0 + logging.basicConfig( + level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S' + ) + logging.info(os.path.join(scriptPath, scriptName)) + logging.info("Arguments: {}".format(sys.argv[1:])) + logging.info("Arguments: {}".format(args)) + if args.verbose > logging.DEBUG: sys.tracebacklimit = 0 # handle sigint and sigterm for graceful shutdown signal.signal(signal.SIGINT, shutdown_handler) signal.signal(signal.SIGTERM, shutdown_handler) signal.signal(signal.SIGUSR1, pdb_handler) - signal.signal(signal.SIGUSR2, debug_toggle_handler) # sleep for a bit if requested sleepCount = 0 @@ -418,11 +393,14 @@ def main(): if not args.yaraCustomOnly: yaraDirs.append(YARA_RULES_DIR) yaraDirs.append(YARA_CUSTOM_RULES_DIR) - checkConnInfo = YaraScan(debug=debug, verboseDebug=verboseDebug, rulesDirs=yaraDirs, reqLimit=args.reqLimit) + checkConnInfo = YaraScan( + logger=logging, + rulesDirs=yaraDirs, + reqLimit=args.reqLimit, + ) elif args.enableCapa: checkConnInfo = CapaScan( - debug=debug, - verboseDebug=verboseDebug, + logger=logging, rulesDir=args.capaRulesDir, verboseHits=args.capaVerbose, reqLimit=args.reqLimit, @@ -431,15 +409,20 @@ def main(): if not args.enableClamAv: eprint('No scanner specified, defaulting to ClamAV') checkConnInfo = ClamAVScan( - debug=debug, verboseDebug=verboseDebug, socketFileName=args.clamAvSocket, reqLimit=args.reqLimit + logger=logging, + socketFileName=args.clamAvSocket, + reqLimit=args.reqLimit, ) carvedFileSub = CarvedFileSubscriberThreaded( - debug=debug, verboseDebug=verboseDebug, host='localhost', port=VENTILATOR_PORT, scriptName=scriptName + logger=logging, + host='localhost', + port=VENTILATOR_PORT, + scriptName=scriptName, ) # start scanner threads which will pull filenames to be scanned and send the results to the logger - scannerThreads = ThreadPool(checkConnInfo.max_requests(), scanFileWorker, ([checkConnInfo, carvedFileSub])) + ThreadPool(checkConnInfo.max_requests(), scanFileWorker, ([checkConnInfo, carvedFileSub])) while not shuttingDown: if pdbFlagged: pdbFlagged = False diff --git a/shared/bin/zeek_carve_utils.py b/shared/bin/zeek_carve_utils.py index 28e8b3af0..1ac1129ea 100644 --- a/shared/bin/zeek_carve_utils.py +++ b/shared/bin/zeek_carve_utils.py @@ -4,7 +4,7 @@ # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. import clamd -import hashlib +import logging import json import os import re @@ -25,6 +25,8 @@ from threading import get_ident from threading import Lock +from malcolm_utils import eprint, sha256sum, run_process, AtomicInt, dictsearch + ################################################################################################### VENTILATOR_PORT = 5987 SINK_PORT = 5988 @@ -235,44 +237,6 @@ def __init__(self, source=None, fid=None, uid=None, time=None, ext=None): self.ext = ext -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ('yes', 'true', 't', 'y', '1'): - return True - elif v.lower() in ('no', 'false', 'f', 'n', '0'): - return False - else: - raise argparse.ArgumentTypeError('Boolean value expected.') - - -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(datetime.now().strftime("%Y-%m-%d %H:%M:%S"), *args, file=sys.stderr, **kwargs) - - -################################################################################################### -# calculate a sha256 hash of a file -def sha256sum(filename): - h = hashlib.sha256() - b = bytearray(64 * 1024) - mv = memoryview(b) - with open(filename, 'rb', buffering=0) as f: - for n in iter(lambda: f.readinto(mv), 0): - h.update(mv[:n]) - return h.hexdigest() - - -################################################################################################### -# recursive dictionary key search -def dictsearch(d, target): - val = filter( - None, [[b] if a == target else dictsearch(b, target) if isinstance(b, dict) else None for a, b in d.items()] - ) - return [i for b in val for i in b] - - ################################################################################################### # filespec to various fields as per the extractor zeek script (/opt/zeek/share/zeek/site/extractor.zeek) # source-fuid-uid-time.ext @@ -310,103 +274,13 @@ def extracted_filespec_to_fields(filespec): return result -################################################################################################### -# open a file and close it, updating its access time -def touch(filename): - open(filename, 'a').close() - os.utime(filename, None) - - -################################################################################################### -# run command with arguments and return its exit code, stdout, and stderr -def check_output_input(*popenargs, **kwargs): - if 'stdout' in kwargs: - raise ValueError('stdout argument not allowed, it will be overridden') - - if 'stderr' in kwargs: - raise ValueError('stderr argument not allowed, it will be overridden') - - if 'input' in kwargs and kwargs['input']: - if 'stdin' in kwargs: - raise ValueError('stdin and input arguments may not both be used') - inputdata = kwargs['input'] - kwargs['stdin'] = PIPE - else: - inputdata = None - kwargs.pop('input', None) - - process = Popen(*popenargs, stdout=PIPE, stderr=PIPE, **kwargs) - try: - output, errput = process.communicate(input=inputdata) - except: - process.kill() - process.wait() - raise - - retcode = process.poll() - - return retcode, output, errput - - -################################################################################################### -# run command with arguments and return its exit code and output -def run_process(command, stdout=True, stderr=True, stdin=None, cwd=None, env=None, debug=False): - retcode = -1 - output = [] - - try: - # run the command - retcode, cmdout, cmderr = check_output_input(command, input=stdin.encode() if stdin else None, cwd=cwd, env=env) - - # split the output on newlines to return a list - if stderr and (len(cmderr) > 0): - output.extend(cmderr.decode(sys.getdefaultencoding()).split('\n')) - if stdout and (len(cmdout) > 0): - output.extend(cmdout.decode(sys.getdefaultencoding()).split('\n')) - - except (FileNotFoundError, OSError, IOError) as e: - if stderr: - output.append("Command {} not found or unable to execute".format(command)) - - if debug: - eprint( - "{}{} returned {}: {}".format( - command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output - ) - ) - - return retcode, output - - -################################################################################################### -class AtomicInt: - def __init__(self, value=0): - self.val = RawValue('i', value) - self.lock = Lock() - - def increment(self): - with self.lock: - self.val.value += 1 - return self.val.value - - def decrement(self): - with self.lock: - self.val.value -= 1 - return self.val.value - - def value(self): - with self.lock: - return self.val.value - - ################################################################################################### class CarvedFileSubscriberThreaded: # --------------------------------------------------------------------------------- # constructor def __init__( self, - debug=False, - verboseDebug=False, + logger=None, host="localhost", port=VENTILATOR_PORT, context=None, @@ -414,8 +288,7 @@ def __init__( rcvTimeout=5000, scriptName='', ): - self.debug = debug - self.verboseDebug = verboseDebug + self.logger = logger if logger else logging self.scriptName = scriptName self.lock = Lock() @@ -428,8 +301,7 @@ def __init__( self.newFilesSocket.connect(f"tcp://{host}:{port}") self.newFilesSocket.setsockopt(zmq.SUBSCRIBE, bytes(topic, encoding='ascii')) self.newFilesSocket.RCVTIMEO = rcvTimeout - if self.debug: - eprint(f"{self.scriptName}:\tbound to ventilator at {port}") + self.logger.info(f"{self.scriptName}:\tbound to ventilator at {port}") # --------------------------------------------------------------------------------- def Pull(self, scanWorkerId=0): @@ -439,13 +311,13 @@ def Pull(self, scanWorkerId=0): # accept a fileinfo dict from newFilesSocket try: fileinfo.update(json.loads(self.newFilesSocket.recv_string())) - except zmq.Again as timeout: + except zmq.Again: # no file received due to timeout, return empty dict. which means no file available pass - if self.verboseDebug: - eprint( - f"{self.scriptName}[{scanWorkerId}]:\t{'📨' if (FILE_SCAN_RESULT_FILE in fileinfo) else '🕑'}\t{fileinfo[FILE_SCAN_RESULT_FILE] if (FILE_SCAN_RESULT_FILE in fileinfo) else '(recv)'}" + if FILE_SCAN_RESULT_FILE in fileinfo: + self.logger.debug( + f"{self.scriptName}[{scanWorkerId}]:\t'📨'\t{fileinfo[FILE_SCAN_RESULT_FILE]}", ) return fileinfo @@ -545,7 +417,7 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo if allowed: try: response = requests.get(VTOT_URL, params={'apikey': self.apiKey, 'resource': sha256sum(fileName)}) - except requests.exceptions.RequestException as e: + except requests.exceptions.RequestException: # things are bad return None @@ -566,7 +438,7 @@ def check_result(self, submissionResponse): if submissionResponse is not None: try: result.success = submissionResponse.ok - except: + except Exception: pass try: @@ -610,7 +482,7 @@ def format(fileName, response): scans = { engine: resp['scans'][engine] for engine in resp['scans'] - if ('detected' in resp['scans'][engine]) and (resp['scans'][engine]['detected'] == True) + if ('detected' in resp['scans'][engine]) and (resp['scans'][engine]['detected']) } hits = defaultdict(list) for k, v in scans.items(): @@ -641,10 +513,14 @@ def format(fileName, response): class ClamAVScan(FileScanProvider): # --------------------------------------------------------------------------------- # constructor - def __init__(self, debug=False, verboseDebug=False, socketFileName=None, reqLimit=None): + def __init__( + self, + logger=None, + socketFileName=None, + reqLimit=None, + ): self.scanningFilesCount = AtomicInt(value=0) - self.debug = debug - self.verboseDebug = verboseDebug + self.logger = logger if logger else logging self.socketFileName = socketFileName self.reqLimit = reqLimit if reqLimit else CLAM_MAX_REQS @@ -671,9 +547,10 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo # while limit only repeats if block=True while (not allowed) and (not clamavResult.finished): + nowTime = int(time.time()) + if not connected: - if self.verboseDebug: - eprint(f"{get_ident()}: ClamAV attempting connection") + self.logger.debug(f"{get_ident()}: ClamAV attempting connection") clamAv = ( clamd.ClamdUnixSocket(path=self.socketFileName) if self.socketFileName is not None @@ -682,12 +559,10 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo try: clamAv.ping() connected = True - if self.verboseDebug: - eprint(f"{get_ident()}: ClamAV connected!") + self.logger.debug(f"{get_ident()}: ClamAV connected!") except Exception as e: connected = False - if self.debug: - eprint(f"{get_ident()}: ClamAV connection failed: {str(e)}") + self.logger.info(f"{get_ident()}: ClamAV connection failed: {str(e)}") if connected: # first make sure we haven't exceeded rate limits @@ -699,18 +574,15 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo if connected and allowed: try: - if self.verboseDebug: - eprint(f'{get_ident()} ClamAV scanning: {fileName}') + self.logger.debug(f'{get_ident()} ClamAV scanning: {fileName}') clamavResult.result = clamAv.scan(fileName) - if self.verboseDebug: - eprint(f'{get_ident()} ClamAV scan result: {clamavResult.result}') + self.logger.debug(f'{get_ident()} ClamAV scan result: {clamavResult.result}') clamavResult.success = clamavResult.result is not None clamavResult.finished = True except Exception as e: if clamavResult.result is None: clamavResult.result = str(e) - if self.debug: - eprint(f'{get_ident()} ClamAV scan error: {clamavResult.result}') + self.logger.info(f'{get_ident()} ClamAV scan error: {clamavResult.result}') finally: self.scanningFilesCount.decrement() @@ -775,10 +647,14 @@ def format(fileName, response): class YaraScan(FileScanProvider): # --------------------------------------------------------------------------------- # constructor - def __init__(self, debug=False, verboseDebug=False, rulesDirs=[], reqLimit=None): + def __init__( + self, + logger=None, + rulesDirs=[], + reqLimit=None, + ): self.scanningFilesCount = AtomicInt(value=0) - self.debug = debug - self.verboseDebug = verboseDebug + self.logger = logger if logger else logging self.reqLimit = reqLimit if reqLimit else YARA_MAX_REQS self.ruleFilespecs = {} for yaraDir in rulesDirs: @@ -788,17 +664,16 @@ def __init__(self, debug=False, verboseDebug=False, rulesDirs=[], reqLimit=None) if file.startswith(".") or file.startswith("~") or file.startswith("_"): continue filename = os.path.join(root, file) - extension = os.path.splitext(file)[1].lower() try: - testCompile = yara.compile(filename) + yara.compile(filename) self.ruleFilespecs[filename] = filename except yara.SyntaxError as e: - if self.debug: - eprint(f'{get_ident()} Ignored Yara compile error in {filename}: {e}') - if self.verboseDebug: - eprint(f"{get_ident()}: Initializing Yara with {len(self.ruleFilespecs)} rules files: {self.ruleFilespecs}") - elif self.debug: - eprint(f"{get_ident()}: Initializing Yara with {len(self.ruleFilespecs)} rules files") + self.logger.info(f'{get_ident()} Ignored Yara compile error in {filename}: {e}') + self.logger.info(f"{get_ident()}: Initializing Yara with {len(self.ruleFilespecs)} rules files") + self.logger.debug( + f"{get_ident()}: Initializing Yara with {len(self.ruleFilespecs)} rules files: {self.ruleFilespecs}" + ) + self.compiledRules = yara.compile(filepaths=self.ruleFilespecs) @staticmethod @@ -817,13 +692,14 @@ def check_interval(): def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeout=YARA_SUBMIT_TIMEOUT_SEC): yaraResult = AnalyzerResult() allowed = False - matches = [] # timeout only applies if block=True timeoutTime = int(time.time()) + timeout # while limit only repeats if block=True while (not allowed) and (not yaraResult.finished): + nowTime = int(time.time()) + # first make sure we haven't exceeded rate limits if self.scanningFilesCount.increment() <= self.reqLimit: # we've got fewer than the allowed requests open, so we're good to go! @@ -833,11 +709,9 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo if allowed: try: - if self.verboseDebug: - eprint(f'{get_ident()} Yara scanning: {fileName}') + self.logger.debug(f'{get_ident()} Yara scanning: {fileName}') yaraResult.result = self.compiledRules.match(fileName, timeout=YARA_RUN_TIMEOUT_SEC) - if self.verboseDebug: - eprint(f'{get_ident()} Yara scan result: {yaraResult.result}') + self.logger.debug(f'{get_ident()} Yara scan result: {yaraResult.result}') yaraResult.success = yaraResult.result is not None yaraResult.finished = True except Exception as e: @@ -845,8 +719,7 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo yaraResult.result = {"error": str(e)} yaraResult.success = False yaraResult.finished = True - if self.debug: - eprint(f'{get_ident()} Yara scan error: {yaraResult.result}') + self.logger.info(f'{get_ident()} Yara scan error: {yaraResult.result}') finally: self.scanningFilesCount.decrement() @@ -908,11 +781,16 @@ def format(fileName, response): class CapaScan(FileScanProvider): # --------------------------------------------------------------------------------- # constructor - def __init__(self, debug=False, verboseDebug=False, rulesDir=None, verboseHits=False, reqLimit=None): + def __init__( + self, + logger=None, + rulesDir=None, + verboseHits=False, + reqLimit=None, + ): self.scanningFilesCount = AtomicInt(value=0) self.rulesDir = rulesDir - self.debug = debug - self.verboseDebug = verboseDebug + self.logger = logger if logger else logging self.verboseHits = verboseHits self.reqLimit = reqLimit if reqLimit else CAPA_MAX_REQS @@ -940,6 +818,8 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo # while limit only repeats if block=True while (not allowed) and (not capaResult.finished): + nowTime = int(time.time()) + # first make sure we haven't exceeded rate limits if self.scanningFilesCount.increment() <= self.reqLimit: # we've got fewer than the allowed requests open, so we're good to go! @@ -949,8 +829,7 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo if allowed: try: - if self.verboseDebug: - eprint(f'{get_ident()} Capa scanning: {fileName}') + self.logger.debug(f'{get_ident()} Capa scanning: {fileName}') if self.rulesDir is not None: cmd = [ @@ -984,7 +863,7 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo 'never', fileName, ] - capaErr, capaOut = run_process(cmd, stderr=False, debug=self.debug) + capaErr, capaOut = run_process(cmd, stderr=False, logger=self.logger) if (capaErr == 0) and (len(capaOut) > 0) and (len(capaOut[0]) > 0): # load the JSON output from capa into the .result try: @@ -996,23 +875,21 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo # probably failed because it's not an executable, ignore it capaResult.result = {"error": str(capaErr)} - if self.verboseDebug: - eprint(f'{get_ident()} Capa scan result: {capaResult.result}') + self.logger.debug(f'{get_ident()} Capa scan result: {capaResult.result}') capaResult.success = capaResult.result is not None capaResult.finished = True except Exception as e: if capaResult.result is None: capaResult.result = str(e) - if self.debug: - eprint(f'{get_ident()} Capa scan error: {capaResult.result}') + self.logger.debug(f'{get_ident()} Capa scan error: {capaResult.result}') finally: self.scanningFilesCount.decrement() try: if os.path.isfile(fileName + CAPA_VIV_SUFFIX): os.remove(fileName + CAPA_VIV_SUFFIX) - except Exception as fe: + except Exception: pass elif block and (nowTime < timeoutTime): diff --git a/shared/bin/zeek_carve_watcher.py b/shared/bin/zeek_carve_watcher.py index c1cf3a70c..e2b93590a 100755 --- a/shared/bin/zeek_carve_watcher.py +++ b/shared/bin/zeek_carve_watcher.py @@ -10,52 +10,61 @@ ################################################################################################### import argparse -import copy import glob import json +import logging import magic import os import pathlib -import pyinotify import signal import sys import time import zmq -from zeek_carve_utils import * +from multiprocessing.pool import ThreadPool +from watchdog.observers import Observer +from watchdog.observers.polling import PollingObserver +from watchdog.utils import WatchdogShutdown + +from zeek_carve_utils import ( + CAPA_VIV_MIME, + CAPA_VIV_SUFFIX, + FILE_SCAN_RESULT_FILE, + FILE_SCAN_RESULT_FILE_SIZE, + FILE_SCAN_RESULT_FILE_TYPE, + VENTILATOR_PORT, +) + +import malcolm_utils +from malcolm_utils import touch, eprint, str2bool +import watch_common ################################################################################################### MINIMUM_CHECKED_FILE_SIZE_DEFAULT = 64 MAXIMUM_CHECKED_FILE_SIZE_DEFAULT = 134217728 ################################################################################################### -debug = False -verboseDebug = False pdbFlagged = False args = None scriptName = os.path.basename(__file__) scriptPath = os.path.dirname(os.path.realpath(__file__)) origPath = os.getcwd() -shuttingDown = False +shuttingDown = [False] + ################################################################################################### # watch files written to and moved to this directory -class EventWatcher(pyinotify.ProcessEvent): - - # notify on files written in-place then closed (IN_CLOSE_WRITE), and moved into this directory (IN_MOVED_TO) - _methods = ["IN_CLOSE_WRITE", "IN_MOVED_TO"] - - def __init__(self): - global debug - +class EventWatcher: + def __init__(self, logger=None): super().__init__() + self.logger = logger if logger else logging + # initialize ZeroMQ context and socket(s) to send messages to self.context = zmq.Context() # Socket to send messages on - if debug: - eprint(f"{scriptName}:\tbinding ventilator port {VENTILATOR_PORT}") + self.logger.info(f"{scriptName}:\tbinding ventilator port {VENTILATOR_PORT}") self.ventilator_socket = self.context.socket(zmq.PUB) self.ventilator_socket.bind(f"tcp://*:{VENTILATOR_PORT}") @@ -63,71 +72,56 @@ def __init__(self): # and if he can't then what's the point? just block # self.ventilator_socket.SNDTIMEO = 5000 - if debug: - eprint(f"{scriptName}:\tEventWatcher initialized") - - -################################################################################################### -# set up event processor to append processed events from to the event queue -def event_process_generator(cls, method): - - # actual method called when we are notified of a file - def _method_name(self, event): + self.logger.info(f"{scriptName}:\tEventWatcher initialized") + ################################################################################################### + # set up event processor to append processed events from to the event queue + def processFile(self, pathname): global args - global debug - global verboseDebug - if debug: - eprint(f"{scriptName}:\t👓\t{event.pathname}") + self.logger.info(f"{scriptName}:\t👓\t{pathname}") - if (not event.dir) and os.path.isfile(event.pathname): - - fileSize = os.path.getsize(event.pathname) + if os.path.isfile(pathname): + fileSize = os.path.getsize(pathname) if args.minBytes <= fileSize <= args.maxBytes: - - fileType = magic.from_file(event.pathname, mime=True) - if (pathlib.Path(event.pathname).suffix != CAPA_VIV_SUFFIX) and (fileType != CAPA_VIV_MIME): + fileType = magic.from_file(pathname, mime=True) + if (pathlib.Path(pathname).suffix != CAPA_VIV_SUFFIX) and (fileType != CAPA_VIV_MIME): # the entity is a right-sized file, is not a capa .viv cache file, and it exists, so send it to get scanned fileInfo = json.dumps( { - FILE_SCAN_RESULT_FILE: event.pathname, + FILE_SCAN_RESULT_FILE: pathname, FILE_SCAN_RESULT_FILE_SIZE: fileSize, FILE_SCAN_RESULT_FILE_TYPE: fileType, } ) - if debug: - eprint(f"{scriptName}:\t📩\t{fileInfo}") + self.logger.info(f"{scriptName}:\t📩\t{fileInfo}") try: self.ventilator_socket.send_string(fileInfo) - if debug: - eprint(f"{scriptName}:\t📫\t{event.pathname}") - except zmq.Again as timeout: - if verboseDebug: - eprint(f"{scriptName}:\t🕑\t{event.pathname}") + self.logger.info(f"{scriptName}:\t📫\t{pathname}") + except zmq.Again: + self.logger.debug(f"{scriptName}:\t🕑\t{pathname}") else: # temporary capa .viv file, just ignore it as it will get cleaned up by the scanner when it's done - if debug: - eprint(f"{scriptName}:\t🚧\t{event.pathname}") + self.logger.info(f"{scriptName}:\t🚧\t{pathname}") else: # too small/big to care about, delete it - os.remove(event.pathname) - if debug: - eprint(f"{scriptName}:\t🚫\t{event.pathname}") + os.remove(pathname) + self.logger.info(f"{scriptName}:\t🚫\t{pathname}") + - # assign process method to class - _method_name.__name__ = "process_{}".format(method) - setattr(cls, _method_name.__name__, _method_name) +def file_processor(pathname, **kwargs): + if "watcher" in kwargs and kwargs["watcher"]: + kwargs["watcher"].processFile(pathname) ################################################################################################### # handle sigint/sigterm and set a global shutdown variable def shutdown_handler(signum, frame): global shuttingDown - shuttingDown = True + shuttingDown[0] = True ################################################################################################### @@ -137,49 +131,15 @@ def pdb_handler(sig, frame): pdbFlagged = True -################################################################################################### -# handle sigusr2 for toggling debug -def debug_toggle_handler(signum, frame): - global debug - global debugToggled - debug = not debug - debugToggled = True - - ################################################################################################### # main def main(): global args - global debug - global verboseDebug - global debugToggled global pdbFlagged global shuttingDown parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) - parser.add_argument( - '-v', - '--verbose', - dest='debug', - help="Verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) - parser.add_argument( - '--extra-verbose', - dest='verboseDebug', - help="Super verbose output", - metavar='true|false', - type=str2bool, - nargs='?', - const=True, - default=False, - required=False, - ) + parser.add_argument('--verbose', '-v', action='count', default=1, help='Increase verbosity (e.g., -v, -vv, etc.)') parser.add_argument( '--ignore-existing', dest='ignoreExisting', @@ -209,6 +169,30 @@ def main(): type=str, required=False, ) + parser.add_argument( + '-p', + '--polling', + dest='polling', + help="Use polling (instead of inotify)", + metavar='true|false', + type=str2bool, + nargs='?', + const=True, + default=os.getenv('EXTRACTED_FILE_WATCHER_POLLING', False), + required=False, + ) + parser.add_argument( + '-c', + '--closed-sec', + dest='assumeClosedSec', + help="When polling, assume a file is closed after this many seconds of inactivity", + metavar='', + type=int, + default=int( + os.getenv('EXTRACTED_FILE_WATCHER_POLLING_ASSUME_CLOSED_SEC', str(watch_common.ASSUME_CLOSED_SEC_DEFAULT)) + ), + required=False, + ) parser.add_argument( '--min-bytes', dest='minBytes', @@ -239,38 +223,33 @@ def main(): parser.print_help() exit(2) - verboseDebug = args.verboseDebug - debug = args.debug or verboseDebug - if debug: - eprint(os.path.join(scriptPath, scriptName)) - eprint("{} arguments: {}".format(scriptName, sys.argv[1:])) - eprint("{} arguments: {}".format(scriptName, args)) - else: + args.verbose = logging.ERROR - (10 * args.verbose) if args.verbose > 0 else 0 + logging.basicConfig( + level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S' + ) + logging.info(os.path.join(scriptPath, scriptName)) + logging.info("Arguments: {}".format(sys.argv[1:])) + logging.info("Arguments: {}".format(args)) + if args.verbose > logging.DEBUG: sys.tracebacklimit = 0 # handle sigint and sigterm for graceful shutdown signal.signal(signal.SIGINT, shutdown_handler) signal.signal(signal.SIGTERM, shutdown_handler) signal.signal(signal.SIGUSR1, pdb_handler) - signal.signal(signal.SIGUSR2, debug_toggle_handler) # sleep for a bit if requested sleepCount = 0 - while (not shuttingDown) and (sleepCount < args.startSleepSec): + while (not shuttingDown[0]) and (sleepCount < args.startSleepSec): time.sleep(1) sleepCount += 1 - # add events to watch to EventWatcher class - for method in EventWatcher._methods: - event_process_generator(EventWatcher, method) - # if directory to monitor doesn't exist, create it now if os.path.isdir(args.baseDir): preexistingDir = True else: preexistingDir = False - if debug: - eprint(f'{scriptname}: creating "{args.baseDir}" to monitor') + logging.info(f'{scriptName}:\tcreating "{args.baseDir}" to monitor') pathlib.Path(args.baseDir).mkdir(parents=False, exist_ok=True) # if recursion was requested, get list of directories to monitor @@ -283,40 +262,78 @@ def main(): # begin threaded watch of path(s) time.sleep(1) - watch_manager = pyinotify.WatchManager() - event_notifier = pyinotify.ThreadedNotifier(watch_manager, EventWatcher()) + + observer = PollingObserver() if args.polling else Observer() + handler = watch_common.FileOperationEventHandler( + logger=None, + polling=args.polling, + ) for watchDir in watchDirs: - watch_manager.add_watch(os.path.abspath(watchDir), pyinotify.ALL_EVENTS) - if debug: - eprint(f"{scriptName}: monitoring {watchDirs}") - time.sleep(2) - event_notifier.start() - - # if there are any previously included files (and not ignoreExisting), "touch" them so that they will be notified on - if preexistingDir and (not args.ignoreExisting): - filesTouched = 0 - for watchDir in watchDirs: - for preexistingFile in [os.path.join(watchDir, x) for x in pathlib.Path(watchDir).iterdir() if x.is_file()]: - touch(preexistingFile) - filesTouched += 1 - if debug and (filesTouched > 0): - eprint(f"{scriptName}: found {filesTouched} preexisting files to check") - - # loop forever, or until we're told to shut down, whichever comes first - while not shuttingDown: - if pdbFlagged: - pdbFlagged = False - breakpoint() - time.sleep(0.2) - - # graceful shutdown - if debug: - eprint(f"{scriptName}: shutting down...") - event_notifier.stop() + logging.info(f"{scriptName}:\tScheduling {watchDir}") + observer.schedule(handler, watchDir, recursive=False) + + observer.start() + + logging.info(f"{scriptName}:\tmonitoring {watchDirs}") + + try: + time.sleep(2) + + # if there are any previously included files (and not ignoreExisting), "touch" them so that they will be notified on + if preexistingDir and (not args.ignoreExisting) and (not shuttingDown[0]): + filesTouched = 0 + for watchDir in watchDirs: + for preexistingFile in [ + os.path.join(watchDir, x) for x in pathlib.Path(watchDir).iterdir() if x.is_file() + ]: + touch(preexistingFile) + filesTouched += 1 + if filesTouched > 0: + logging.info(f"{scriptName}:\tfound {filesTouched} preexisting files to check") + + # start the thread to actually handle the files as they're queued by the FileOperationEventHandler handler + workerThreadCount = malcolm_utils.AtomicInt(value=0) + ThreadPool( + 1, + watch_common.ProcessFileEventWorker( + [ + handler, + observer, + file_processor, + {'watcher': EventWatcher(logger=logging)}, + args.assumeClosedSec, + workerThreadCount, + shuttingDown, + logging, + ], + ), + ) + + # loop forever, or until we're told to shut down, whichever comes first + while (not shuttingDown[0]) and observer.is_alive(): + if pdbFlagged: + pdbFlagged = False + breakpoint() + observer.join(1) + + # graceful shutdown + logging.info(f"{scriptName}:\tshutting down...") + + if shuttingDown[0]: + raise WatchdogShutdown() + + except WatchdogShutdown: + observer.unschedule_all() + + finally: + observer.stop() + observer.join() + time.sleep(1) + while workerThreadCount.value() > 0: + time.sleep(1) - if debug: - eprint(f"{scriptName}: finished monitoring {watchDirs}") + logging.info(f"{scriptName}:\tfinished monitoring {watchDirs}") if __name__ == '__main__': diff --git a/shared/bin/zeek_carved_http_server.py b/shared/bin/zeek_carved_http_server.py index 93380e59b..8b385c9de 100755 --- a/shared/bin/zeek_carved_http_server.py +++ b/shared/bin/zeek_carved_http_server.py @@ -15,9 +15,8 @@ from http.server import HTTPServer, SimpleHTTPRequestHandler from Crypto.Cipher import AES -KEY_SIZE = 32 -OPENSSL_ENC_MAGIC = b'Salted__' -PKCS5_SALT_LEN = 8 + +from malcolm_utils import str2bool, eprint, EVP_KEY_SIZE, PKCS5_SALT_LEN, OPENSSL_ENC_MAGIC, EVP_BytesToKey ################################################################################################### args = None @@ -26,64 +25,10 @@ script_path = os.path.dirname(os.path.realpath(__file__)) orig_path = os.getcwd() -################################################################################################### -# print to stderr -def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) - sys.stderr.flush() - - -################################################################################################### -# convenient boolean argument parsing -def str2bool(v): - if v.lower() in ('yes', 'true', 't', 'y', '1'): - return True - elif v.lower() in ('no', 'false', 'f', 'n', '0'): - return False - else: - raise argparse.ArgumentTypeError('Boolean value expected.') - - -################################################################################################### -# EVP_BytesToKey -# -# reference: https://github.com/openssl/openssl/blob/6f0ac0e2f27d9240516edb9a23b7863e7ad02898/crypto/evp/evp_key.c#L74 -# https://gist.github.com/chrono-meter/d122cbefc6f6248a0af554995f072460 -def EVP_BytesToKey(key_length: int, iv_length: int, md, salt: bytes, data: bytes, count: int = 1) -> (bytes, bytes): - assert data - assert salt == b'' or len(salt) == PKCS5_SALT_LEN - - md_buf = b'' - key = b'' - iv = b'' - addmd = 0 - - while key_length > len(key) or iv_length > len(iv): - c = md() - if addmd: - c.update(md_buf) - addmd += 1 - c.update(data) - c.update(salt) - md_buf = c.digest() - for i in range(1, count): - md_buf = md(md_buf) - - md_buf2 = md_buf - - if key_length > len(key): - key, md_buf2 = key + md_buf2[: key_length - len(key)], md_buf2[key_length - len(key) :] - - if iv_length > len(iv): - iv = iv + md_buf2[: iv_length - len(iv)] - - return key, iv - ################################################################################################### # class HTTPHandler(SimpleHTTPRequestHandler): - # return full path based on server base path and requested path def translate_path(self, path): path = SimpleHTTPRequestHandler.translate_path(self, path) @@ -110,7 +55,7 @@ def do_GET(self): self.send_header('Content-Disposition', f'attachment; filename={os.path.basename(fullpath)}.encrypted') self.end_headers() salt = os.urandom(PKCS5_SALT_LEN) - key, iv = EVP_BytesToKey(KEY_SIZE, AES.block_size, hashlib.sha256, salt, args.key.encode('utf-8')) + key, iv = EVP_BytesToKey(EVP_KEY_SIZE, AES.block_size, hashlib.sha256, salt, args.key.encode('utf-8')) cipher = AES.new(key, AES.MODE_CBC, iv) encrypted = b"" encrypted += OPENSSL_ENC_MAGIC @@ -204,7 +149,13 @@ def main(): help=f"Encrypt files with aes-256-cbc ({defaultEncrypt})", ) parser.add_argument( - '-k', '--key', dest='key', help=f"File encryption key", metavar='', type=str, default=defaultKey + '-k', + '--key', + dest='key', + help="File encryption key", + metavar='', + type=str, + default=defaultKey, ) try: parser.error = parser.exit diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index d87fde9d5..735463b5c 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -73,6 +73,8 @@ ZKG_GITHUB_URLS=( "https://github.com/0xl3x1/zeek-EternalSafety" "https://github.com/0xxon/cve-2020-0601" "https://github.com/0xxon/cve-2020-13777" + "https://github.com/amzn/zeek-plugin-profinet|master" + "https://github.com/amzn/zeek-plugin-tds|master" "https://github.com/cisagov/icsnpp-bacnet" "https://github.com/cisagov/icsnpp-bsap" "https://github.com/cisagov/icsnpp-dnp3" @@ -107,14 +109,12 @@ ZKG_GITHUB_URLS=( "https://github.com/corelight/zerologon" "https://github.com/cybera/zeek-sniffpass" "https://github.com/mmguero-dev/bzar" - "https://github.com/mmguero-dev/ja3" - "https://github.com/mmguero-dev/zeek-plugin-profinet|master" - "https://github.com/mmguero-dev/zeek-plugin-tds|master" "https://github.com/ncsa/bro-is-darknet" "https://github.com/ncsa/bro-simple-scan" "https://github.com/precurse/zeek-httpattacks" "https://github.com/salesforce/GQUIC_Protocol_Analyzer" "https://github.com/salesforce/hassh" + "https://github.com/salesforce/ja3" "https://github.com/zeek/spicy-dhcp" "https://github.com/zeek/spicy-dns" "https://github.com/zeek/spicy-http" diff --git a/shared/bin/zeek_intel_from_threat_feed.py b/shared/bin/zeek_intel_from_threat_feed.py index b393ae1d4..45184e838 100755 --- a/shared/bin/zeek_intel_from_threat_feed.py +++ b/shared/bin/zeek_intel_from_threat_feed.py @@ -15,6 +15,9 @@ import sys import zeek_threat_feed_utils +import malcolm_utils +from contextlib import nullcontext + ################################################################################################### script_name = os.path.basename(__file__) script_path = os.path.dirname(os.path.realpath(__file__)) @@ -155,7 +158,7 @@ def main(): elif '://' in infileArg: # download from URL and read input from remote file - with zeek_threat_feed_utils.temporary_filename(suffix='.txt') as tmpFileName: + with malcolm_utils.temporary_filename(suffix='.txt') as tmpFileName: dlFileName = zeek_threat_feed_utils.download_to_file( infileArg, local_filename=tmpFileName, @@ -178,8 +181,8 @@ def main(): # we'll queue and then process all of the input arguments in workers inputQueue = deque() inputQueue.extend(args.input) - workerThreadCount = zeek_threat_feed_utils.AtomicInt(value=0) - workerThreads = ThreadPool( + workerThreadCount = malcolm_utils.AtomicInt(value=0) + ThreadPool( args.threads, zeek_threat_feed_utils.ProcessThreatInputWorker, ( @@ -187,6 +190,7 @@ def main(): inputQueue, zeekPrinter, since, + defaultNow, workerThreadCount, logging, ], diff --git a/shared/bin/zeek_intel_setup.sh b/shared/bin/zeek_intel_setup.sh index e27181a34..c02955e02 100755 --- a/shared/bin/zeek_intel_setup.sh +++ b/shared/bin/zeek_intel_setup.sh @@ -25,7 +25,7 @@ function finish { rmdir -- "$LOCK_DIR" || echo "Failed to remove lock directory '$LOCK_DIR'" >&2 } -if mkdir -- "$LOCK_DIR" 2>/dev/null; then +if mkdir -p -- "$LOCK_DIR" 2>/dev/null; then trap finish EXIT # create directive to @load every subdirectory in /opt/zeek/share/zeek/site/intel diff --git a/shared/bin/zeek_threat_feed_utils.py b/shared/bin/zeek_threat_feed_utils.py index 954ad25a8..e5446a6aa 100644 --- a/shared/bin/zeek_threat_feed_utils.py +++ b/shared/bin/zeek_threat_feed_utils.py @@ -6,7 +6,6 @@ # - BSD 3-Clause license: https://github.com/tenzir/threatbus/blob/master/COPYING # - Zeek Plugin: https://github.com/tenzir/threatbus/blob/master/COPYING -from base64 import b64decode from bs4 import BeautifulSoup from collections import defaultdict from collections.abc import Iterable @@ -27,7 +26,6 @@ from taxii2client.v21 import as_pages as TaxiiAsPages_v21 from taxii2client.v21 import Collection as TaxiiCollection_v21 from taxii2client.v21 import Server as TaxiiServer_v21 -from tempfile import NamedTemporaryFile from threading import Lock from time import sleep, mktime from typing import Tuple, Union @@ -37,6 +35,7 @@ import re import requests +from malcolm_utils import base64_decode_if_prefixed, LoadStrIfJson, LoadFileIfJson # keys for dict returned by map_stix_indicator_to_zeek for Zeek intel file fields ZEEK_INTEL_INDICATOR = 'indicator' @@ -113,38 +112,6 @@ } -def base64_decode_if_prefixed(s: str): - if s.startswith('base64:'): - return b64decode(s[7:]).decode('utf-8') - else: - return s - - -def LoadStrIfJson(jsonStr): - try: - return json.loads(jsonStr) - except ValueError as e: - return None - - -def LoadFileIfJson(fileHandle): - try: - return json.load(fileHandle) - except ValueError as e: - return None - - -@contextmanager -def temporary_filename(suffix=None): - try: - f = tempfile.NamedTemporaryFile(suffix=suffix, delete=False) - tmp_name = f.name - f.close() - yield tmp_name - finally: - os.unlink(tmp_name) - - # get URL directory listing def get_url_paths_from_response(response_text, parent_url='', ext=''): soup = BeautifulSoup(response_text, 'html.parser') @@ -225,7 +192,6 @@ def is_stix_point_equality_ioc(indicator_type: type, pattern_str: str, logger=No """ try: if pattern := stix_pattern_from_str(indicator_type, pattern_str): - # InspectionListener https://github.com/oasis-open/cti-pattern-validator/blob/e926d0a14adf88de08acb908a51db1f453c13647/stix2patterns/v21/inspector.py#L5 # E.g., pattern = "[domain-name:value = 'evil.com']" # => il = pattern_data(comparisons={'domain-name': [(['value'], '=', "'evil.com'")]}, observation_ops=set(), qualifiers=set()) @@ -273,7 +239,6 @@ def split_stix_object_path_and_value( for comparison in list(il.comparisons.keys()): for element in il.comparisons[comparison]: if isinstance(element, Iterable) and (len(element) == 3) and (element[1] in ('=', '==')): - # construct object path name, e.g.: # file:hashes.'SHA-1' # software:name @@ -334,7 +299,6 @@ def map_stix_indicator_to_zeek( results = [] for object_path, ioc_value in split_stix_object_path_and_value(type(indicator), indicator.pattern, logger): - # get matching Zeek intel type if not (zeek_type := STIX_ZEEK_INTEL_TYPE_MAP.get(object_path, None)): if logger is not None: @@ -420,7 +384,6 @@ def map_misp_attribute_to_zeek( # process type/value pairs for zeek_type, attribute_value in valTypePairs: - if zeek_type == "URL": # remove leading protocol, if any parsed = urlparse(attribute_value) @@ -457,32 +420,6 @@ def map_misp_attribute_to_zeek( return results -class AtomicInt: - def __init__(self, value=0): - self.val = RawValue('i', value) - self.lock = Lock() - - def increment(self): - with self.lock: - self.val.value += 1 - return self.val.value - - def decrement(self): - with self.lock: - self.val.value -= 1 - return self.val.value - - def value(self): - with self.lock: - return self.val.value - - def __enter__(self): - return self.increment() - - def __exit__(self, type, value, traceback): - return self.decrement() - - class FeedParserZeekPrinter(object): lock = None fields = [] @@ -538,7 +475,6 @@ def ProcessSTIX( # parse the STIX and process all "Indicator" objects for obj in STIXParse(toParse, allow_custom=True).objects: if type(obj).__name__ == "Indicator": - # map indicator object to Zeek value(s) if ((self.since is None) or (obj.created >= self.since) or (obj.modified >= self.since)) and ( vals := map_stix_indicator_to_zeek(indicator=obj, source=source, logger=self.logger) @@ -551,7 +487,7 @@ def ProcessSTIX( except STIXError as ve: if self.logger is not None: - self.logger.warning(f"{type(ve).__name__} parsing '{infile}': {ve}") + self.logger.warning(f"{type(ve).__name__}: {ve}") def ProcessMISP( self, @@ -584,17 +520,16 @@ def ProcessMISP( certaintyTags = [x.name.replace('"', '') for x in event.Tag if x.name.startswith('osint:certainty')] try: certainty = float(certaintyTags[0].split('=')[-1]) if len(certaintyTags) > 0 else None - except ValueError as ve: + except ValueError: certainty = None else: tags = [] certainty = None for attribute in event.attributes: - # map event attribute to Zeek value(s) if ( - ((not hasattr(attribute, 'deleted')) or (attribute.deleted == False)) + ((not hasattr(attribute, 'deleted')) or (not attribute.deleted)) and ((self.since is None) or (event.timestamp >= self.since) or (attribute.timestamp >= self.since)) and ( vals := map_misp_attribute_to_zeek( @@ -620,13 +555,13 @@ def ProcessMISP( def ProcessThreatInputWorker(threatInputWorkerArgs): - - inputQueue, zeekPrinter, since, workerThreadCount, logger = ( + inputQueue, zeekPrinter, since, defaultNow, workerThreadCount, logger = ( threatInputWorkerArgs[0], threatInputWorkerArgs[1], threatInputWorkerArgs[2], threatInputWorkerArgs[3], threatInputWorkerArgs[4], + threatInputWorkerArgs[5], ) with workerThreadCount as workerId: @@ -641,9 +576,7 @@ def ProcessThreatInputWorker(threatInputWorkerArgs): sleep(1) else: try: - with open(inarg) if ((inarg is not None) and os.path.isfile(inarg)) else nullcontext() as infile: - if infile: ################################################################################## # JSON FILE (STIX or MISP) @@ -660,7 +593,7 @@ def ProcessThreatInputWorker(threatInputWorkerArgs): # TODO: is this always the case? anything other than "Event", or multiple objects? # MISP input file zeekPrinter.ProcessMISP( - mispJson, + infileJson, source=[os.path.splitext(os.path.basename(inarg))[0]], ) @@ -686,7 +619,6 @@ def ProcessThreatInputWorker(threatInputWorkerArgs): mispAuthKey = mispConnInfo[1] with requests.Session() as mispSession: - if mispAuthKey is not None: mispSession.headers.update({'Authorization': mispAuthKey}) @@ -849,7 +781,6 @@ def ProcessThreatInputWorker(threatInputWorkerArgs): else TaxiiCollection_v20(info['url'], user=taxiiUsername, password=taxiiPassword) ) try: - # loop over paginated results for envelope in ( TaxiiAsPages_v21( diff --git a/suricata/scripts/eve-clean-logs.sh b/suricata/scripts/eve-clean-logs.sh index dd11f570e..e38a0e00b 100755 --- a/suricata/scripts/eve-clean-logs.sh +++ b/suricata/scripts/eve-clean-logs.sh @@ -24,7 +24,7 @@ if [[ "${SURICATA_LIVE_CAPTURE:-false}" != "true" ]]; then DOCUMENT_FOUND=$( curl -sSL -XPOST \ -H 'Content-Type: application/json' \ - 'http://api:5000/document' \ + 'http://api:5000/mapi/document' \ -d "{\"limit\":1,\"filter\":{\"log.file.path\":\"$(basename $LOGFILE)\"}}" 2>/dev/null \ | jq '.results | length' 2>/dev/null || echo '0') diff --git a/suricata/supervisord.conf b/suricata/supervisord.conf index ac0d96bd2..dae335106 100644 --- a/suricata/supervisord.conf +++ b/suricata/supervisord.conf @@ -18,9 +18,7 @@ supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface serverurl=unix:///tmp/supervisor.sock [program:pcap-suricata] -command=python3 /usr/local/bin/pcap_suricata_processor.py - --verbose "%(ENV_PCAP_PIPELINE_DEBUG)s" - --extra-verbose "%(ENV_PCAP_PIPELINE_DEBUG_EXTRA)s" +command=python3 /usr/local/bin/pcap_suricata_processor.py %(ENV_PCAP_PIPELINE_VERBOSITY)s --start-sleep 10 --threads %(ENV_SURICATA_AUTO_ANALYZE_PCAP_THREADS)s --publisher "%(ENV_PCAP_MONITOR_HOST)s" diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index 42df7ff2e..d5d6f49c2 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -9,6 +9,8 @@ global disable_log_passwords = (getenv("ZEEK_DISABLE_LOG_PASSWORDS") == "") ? F global disable_ssl_validate_certs = (getenv("ZEEK_DISABLE_SSL_VALIDATE_CERTS") == "") ? F : T; global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == "") ? F : T; global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T; +global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ? F : T; +global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T; global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T; @@ -62,7 +64,6 @@ redef ignore_checksums = T; @load policy/protocols/conn/vlan-logging @load policy/protocols/conn/mac-logging @load policy/protocols/modbus/known-masters-slaves -@load policy/protocols/mqtt @load ./login.zeek @if (!disable_best_guess_ics) @@ -115,6 +116,31 @@ event zeek_init() &priority=-5 { if (disable_spicy_wireguard) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD); } + + # register additional ports for Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_... + if (synchrophasor_ports_str != "") { + local synchrophasor_ports = split_string(synchrophasor_ports_str, /,/); + if (|synchrophasor_ports| > 0) { + local synch_ports_tcp: set[port] = {}; + local synch_ports_udp: set[port] = {}; + for (synch_port_idx in synchrophasor_ports) { + local synch_port = to_port(synchrophasor_ports[synch_port_idx]); + local synch_prot = get_port_transport_proto(synch_port); + if (synch_prot == tcp) { + add synch_ports_tcp[synch_port]; + } else if (synch_prot == udp) { + add synch_ports_udp[synch_port]; + } + } + if (|synch_ports_tcp| > 0) { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP, synch_ports_tcp); + } + if (|synch_ports_udp| > 0) { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP, synch_ports_udp); + } + } + } + } @if (!disable_log_passwords) @@ -127,3 +153,8 @@ event zeek_init() &priority=-5 { redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; +@if (synchrophasor_detailed) + redef SYNCHROPHASOR::log_data_frame = T; + redef SYNCHROPHASOR::log_data_detail = T; + redef SYNCHROPHASOR::log_cfg_detail = T; +@endif diff --git a/zeek/supervisord.conf b/zeek/supervisord.conf index babbd790b..e765007b6 100644 --- a/zeek/supervisord.conf +++ b/zeek/supervisord.conf @@ -18,9 +18,7 @@ supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface serverurl=unix:///tmp/supervisor.sock [program:pcap-zeek] -command=python3 /usr/local/bin/pcap_zeek_processor.py - --verbose "%(ENV_PCAP_PIPELINE_DEBUG)s" - --extra-verbose "%(ENV_PCAP_PIPELINE_DEBUG_EXTRA)s" +command=python3 /usr/local/bin/pcap_zeek_processor.py %(ENV_PCAP_PIPELINE_VERBOSITY)s --start-sleep 10 --threads %(ENV_ZEEK_AUTO_ANALYZE_PCAP_THREADS)s --publisher "%(ENV_PCAP_MONITOR_HOST)s"