Security-Onion-Solutions
diff --git a/‎README.md
+9-1 b/‎README.md
+9-1
diff --git a/‎VERSION
+1-1 b/‎VERSION
+1-1
diff --git a/‎pillar/data/addtotab.sh
+41-6 b/‎pillar/data/addtotab.sh
+41-6
diff --git a/‎pillar/data/evaltab.sls
+1 b/‎pillar/data/evaltab.sls
+1
diff --git a/‎pillar/data/mastertab.sls
+1 b/‎pillar/data/mastertab.sls
+1
diff --git a/‎pillar/data/sensorstab.sls
+1 b/‎pillar/data/sensorstab.sls
+1
diff --git a/‎pillar/masters/schedule.sls
-5 b/‎pillar/masters/schedule.sls
-5
diff --git a/‎pillar/nodes/schedule.sls
-5 b/‎pillar/nodes/schedule.sls
-5
diff --git a/‎pillar/sensors/schedule.sls
-5 b/‎pillar/sensors/schedule.sls
-5
diff --git a/‎pillar/top.sls
-4 b/‎pillar/top.sls
-4
diff --git a/‎salt/bro/cron/packetloss.sh
+2 b/‎salt/bro/cron/packetloss.sh
+2
diff --git a/‎salt/bro/files/local.bro
+2-1 b/‎salt/bro/files/local.bro
+2-1
diff --git a/‎salt/bro/files/local.bro.community
+2-1 b/‎salt/bro/files/local.bro.community
+2-1
diff --git a/‎salt/bro/init.sls
+27 b/‎salt/bro/init.sls
+27
diff --git a/‎salt/ca/files/signing_policies.conf
+13 b/‎salt/ca/files/signing_policies.conf
+13
diff --git a/‎salt/common/grafana/etc/dashboards/dashboard.yml
+35 b/‎salt/common/grafana/etc/dashboards/dashboard.yml
+35
diff --git a/‎salt/common/grafana/etc/datasources/influxdb.yaml
+18 b/‎salt/common/grafana/etc/datasources/influxdb.yaml
+18
@@ -1,4 +1,4 @@
-# Security Onion Hybrid Hunter Tech Preview 1.0.3
+# Security Onion Hybrid Hunter Tech Preview 1.0.4
 
 ### About
 Hybrid Hunter is a brand new Security Onion platform with the following characteristics:
@@ -56,6 +56,14 @@ sudo bash so-setup-network.sh
 ```
 Follow the prompts and reboot if asked to do so.
 
+Want to try the bleeding edge? You can install the following:
+```
+git clone https://github.com/TOoSmOotH/securityonion-saltstack
+cd securityonion-saltstack
+sudo bash so-setup-network.sh
+```
+This is an active development repo so many things can and will be broken.
+
 ### Allow Access to Kibana
 Once Setup is complete and services have initialized, you can then allow access to Kibana as follows.
 
 
@@ -1 +1 @@
-1.0.3
+1.0.4
@@ -5,12 +5,47 @@
 TYPE=$1
 NAME=$2
 IPADDRESS=$3
+CPUS=$4
+GUID=$5
+MANINT=$6
+ROOTFS=$7
+NSM=$8
+MONINT=$9
 
-if grep -q $IPADDRESS "/opt/so/saltstack/pillar/data/nodestab.sls"; then
-  echo "Storage Node Already in There"
-else
-  echo "  $NAME:" >> /opt/so/saltstack/pillar/data/nodestab.sls
-  echo "    ip: $IPADDRESS" >> /opt/so/saltstack/pillar/data/nodestab.sls
-  salt-call state.apply utility
+echo "Seeing if this host is already in here. If so delete it"
+if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
+  echo "Node Already Present - Let's re-add it"
+  awk -v blah="  $NAME:" 'BEGIN{ print_flag=1 }
+{
+    if( $0 ~ blah )
+    {
+       print_flag=0;
+       next
+    }
+    if( $0 ~ /^  [a-zA-Z0-9]+:$/ )
+    {
+        print_flag=1;
+    }
+    if ( print_flag == 1 )
+        print $0
 
+} ' /opt/so/saltstack/pillar/data/$TYPE.sls > /opt/so/saltstack/pillar/data/tmp.$TYPE.sls
+mv /opt/so/saltstack/pillar/data/tmp.$TYPE.sls /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "Deleted $NAME from the tab. Now adding it in again with updated info"
+fi
+echo "  $NAME:" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    ip: $IPADDRESS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    manint: $MANINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    totalcpus: $CPUS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    guid: $GUID" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    rootfs: $ROOTFS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    nsmfs: $NSM" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+if [ $TYPE == 'sensorstab' ]; then
+  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+  salt-call state.apply common
+fi
+if [ $TYPE == 'evaltab' ]; then
+  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+  salt-call state.apply common
+  salt-call state.apply utility
 fi
@@ -0,0 +1 @@
+evaltab:
@@ -0,0 +1 @@
+mastertab:
@@ -0,0 +1 @@
+sensorstab:
@@ -1,28 +1,24 @@
 base:
   'G@role:so-sensor':
-    - sensors.schedule
     - sensors.{{ grains.host }}
     - static
     - firewall.*
     - brologs
 
   'G@role:so-master':
-    - masters.schedule
     - masters.{{ grains.host }}
     - static
     - firewall.*
     - data.*
 
   'G@role:so-eval':
-    - masters.schedule
     - masters.{{ grains.host }}
     - static
     - firewall.*
     - data.*
     - brologs
 
   'G@role:so-node':
-    - nodes.schedule
     - nodes.{{ grains.host }}
     - static
     - firewall.*
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/bin/docker exec so-bro /opt/bro/bin/broctl netstats | awk -F '[ =]' '{RCVD += $5;DRP += $7;TTL += $9} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/bro/logs/packetloss.log
@@ -141,4 +141,5 @@
 #@load custom/somebropolicy.bro
 
 # Write logs in JSON
-#redef LogAscii::use_json = T;
+redef LogAscii::use_json = T;
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
@@ -129,4 +129,5 @@
 #@load custom/somebropolicy.bro
 
 # Use JSON
-#redef LogAscii::use_json = T;
+redef LogAscii::use_json = T;
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
@@ -35,6 +35,18 @@ brospooldir:
     - user: 937
     - makedirs: true
 
+brosfafincompletedir:
+  file.directory:
+    - name: /nsm/faf/files/incomplete
+    - user: 937
+    - makedirs: true
+
+brosfafcompletedir:
+  file.directory:
+    - name: /nsm/faf/files/complete
+    - user: 937
+    - makedirs: true
+
 # Sync the policies
 bropolicysync:
   file.recurse:
@@ -53,6 +65,21 @@ nodecfgsync:
     - group: 939
     - template: jinja
 
+plcronscript:
+  file.managed:
+    - name: /usr/local/bin/packetloss.sh
+    - source: salt://bro/cron/packetloss.sh
+    - mode: 755
+
+/usr/local/bin/packetloss.sh:
+  cron.present:
+    - user: root
+    - minute: '*/10'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
 # Sync local.bro
 {% if salt['pillar.get']('static:broversion', '') == 'COMMUNITY' %}
 localbrosync:
 
@@ -38,3 +38,16 @@ x509_signing_policies:
     - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: 3000
     - copypath: /etc/pki/issued_certs/
+  influxdb:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3000
+    - copypath: /etc/pki/issued_certs/
@@ -0,0 +1,35 @@
+apiVersion: 1
+
+providers:
+
+{%- if grains['role'] != 'so-eval' %}
+- name: 'Master'
+  folder: 'Master'
+  type: file
+  disableDeletion: false
+  editable: true
+  options:
+    path: /etc/grafana/grafana_dashboards/master
+- name: 'Forward Nodes'
+  folder: 'Forward Nodes'
+  type: file
+  disableDeletion: false
+  editable: true
+  options:
+    path: /etc/grafana/grafana_dashboards/forward_nodes
+- name: 'Storage Nodes'
+  folder: 'Storage Nodes'
+  type: file
+  disableDeletion: false
+  editable: true
+  options:
+    path: /etc/grafana/grafana_dashboards/storage_nodes
+{%- else %}
+- name: 'Security Onion'
+  folder: 'Eval Mode'
+  type: file
+  disableDeletion: false
+  editable: true
+  options:
+    path: /etc/grafana/grafana_dashboards/eval
+{% endif %}
@@ -0,0 +1,18 @@
+{%- set MASTER = salt['pillar.get']('static:masterip', '') %}
+apiVersion: 1
+
+deleteDatasources:
+  - name: Graphite
+    orgId: 1
+
+datasources:
+  - name: InfluxDB
+    type: influxdb
+    access: proxy
+    database: telegraf
+    url: https://{{ MASTER }}:8086
+    jsonData:
+      tlsAuth: false
+      tlsAuthWithCACert: false
+      tlsSkipVerify: true
+    version: 1
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+#!/bin/bash`
	`2`	`+/usr/bin/docker exec so-bro /opt/bro/bin/broctl netstats \| awk -F '[ =]' '{RCVD += $5;DRP += $7;TTL += $9} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/bro/logs/packetloss.log`