Merge pull request #89 from Security-Onion-Solutions/dev

Dev

Dockerfile

@@ -1,5 +1,5 @@
 # Copyright 2019 Jason Ertel (jertel). All rights reserved.
-# Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+# Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 #
 # This program is distributed under the terms of version 2 of the
 # GNU General Public License.  See LICENSE for further details.

Dockerfile.kratos

@@ -1,5 +1,5 @@
 # Copyright 2019 Jason Ertel (jertel). All rights reserved.
-# Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+# Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 #
 # This program is distributed under the terms of version 2 of the
 # GNU General Public License.  See LICENSE for further details.

agent/agent.go

@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -17,19 +17,19 @@ import (
 )
 
 type Agent struct {
-  Client			*web.Client
-  Config 			*config.AgentConfig
-  JobMgr			*JobManager
-  stoppedChan	chan bool
-  Version			string
+  Client      *web.Client
+  Config      *config.AgentConfig
+  JobMgr      *JobManager
+  stoppedChan chan bool
+  Version     string
 }
 
 func NewAgent(cfg *config.AgentConfig, version string) *Agent {
   agent := &Agent{
-    Config: cfg,
-    Client: web.NewClient(cfg.ServerUrl, cfg.VerifyCert),
+    Config:      cfg,
+    Client:      web.NewClient(cfg.ServerUrl, cfg.VerifyCert),
     stoppedChan: make(chan bool, 1),
-    Version: version,
+    Version:     version,
   }
   agent.JobMgr = NewJobManager(agent)
   return agent
@@ -47,5 +47,5 @@ func (agent *Agent) Stop() {
 }
 
 func (agent *Agent) Wait() {
-  <- agent.stoppedChan
-}
+  <-agent.stoppedChan
+}

agent/agent_test.go

@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.

agent/jobmanager.go

@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -12,12 +12,12 @@ package agent
 
 import (
   "errors"
+  "github.com/apex/log"
+  "github.com/security-onion-solutions/securityonion-soc/model"
   "io"
   "strconv"
   "sync"
   "time"
-  "github.com/apex/log"
-  "github.com/security-onion-solutions/securityonion-soc/model"
 )
 
 type JobManager struct {
@@ -31,10 +31,10 @@ type JobManager struct {
 func NewJobManager(agent *Agent) *JobManager {
   mgr := &JobManager{
     agent: agent,
-    node: model.NewNode(agent.Config.NodeId),
+    node:  model.NewNode(agent.Config.NodeId),
   }
 
-  // Any field/value added to this list must be manually copied to the 
+  // Any field/value added to this list must be manually copied to the
   // existing node object in filedatastoreimpl.go::UpdateNode()
   mgr.node.Role = agent.Config.Role
   mgr.node.Description = agent.Config.Description
@@ -59,7 +59,7 @@ func (mgr *JobManager) Start() {
     } else {
       log.WithField("jobId", job.Id).Info("Discovered pending job")
       var reader io.ReadCloser
-      reader, err = mgr.ProcessJob(job) 
+      reader, err = mgr.ProcessJob(job)
       if err == nil {
         if reader != nil {
           defer reader.Close()
@@ -104,7 +104,7 @@ func (mgr *JobManager) ProcessJob(job *model.Job) (io.ReadCloser, error) {
   for _, processor := range mgr.jobProcessors {
     reader, err = processor.ProcessJob(job, reader)
     if err != nil {
-      log.WithError(err).WithFields(log.Fields {
+      log.WithError(err).WithFields(log.Fields{
         "jobId": job.Id,
       }).Error("Failed to process job; job processing aborted")
       break
@@ -115,7 +115,7 @@ func (mgr *JobManager) ProcessJob(job *model.Job) (io.ReadCloser, error) {
 
 func (mgr *JobManager) CleanupJob(job *model.Job) {
   for _, processor := range mgr.jobProcessors {
-    processor.CleanupJob(job) 
+    processor.CleanupJob(job)
   }
 }
 
@@ -131,7 +131,7 @@ func (mgr *JobManager) updateDataEpoch() {
 }
 
 func (mgr *JobManager) StreamJobResults(job *model.Job, reader io.ReadCloser) error {
-  resp, err := mgr.agent.Client.SendAuthorizedRequest("POST", "/api/stream?jobId=" + strconv.Itoa(job.Id), "application/octet-stream", reader)
+  resp, err := mgr.agent.Client.SendAuthorizedRequest("POST", "/api/stream?jobId="+strconv.Itoa(job.Id), "application/octet-stream", reader)
   if resp.StatusCode != 200 {
     err = errors.New("Unable to submit job results (" + strconv.Itoa(resp.StatusCode) + "): " + resp.Status)
   }

agent/jobprocessor.go

@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -11,13 +11,13 @@
 package agent
 
 import (
+  "github.com/security-onion-solutions/securityonion-soc/model"
   "io"
   "time"
-  "github.com/security-onion-solutions/securityonion-soc/model"
 )
 
 type JobProcessor interface {
   ProcessJob(*model.Job, io.ReadCloser) (io.ReadCloser, error)
   CleanupJob(*model.Job)
   GetDataEpoch() time.Time
-}
+}

cmd/sensoroni.go

@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -13,10 +13,6 @@ package main
 import (
   "flag"
   "fmt"
-  "os"
-  "os/signal"
-  "syscall"
-  "time"
   "github.com/apex/log"
   "github.com/apex/log/handlers/logfmt"
   "github.com/apex/log/handlers/text"
@@ -26,6 +22,10 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/module"
   "github.com/security-onion-solutions/securityonion-soc/server"
   serverModules "github.com/security-onion-solutions/securityonion-soc/server/modules"
+  "os"
+  "os/signal"
+  "syscall"
+  "time"
 )
 
 var (
@@ -58,10 +58,10 @@ func main() {
     logFile, _ := InitLogging(cfg.LogFilename, cfg.LogLevel)
     defer logFile.Close()
 
-    log.WithFields(log.Fields {
-      "version": cfg.Version,
+    log.WithFields(log.Fields{
+      "version":   cfg.Version,
       "buildTime": cfg.BuildTime,
-    }).Info("Version Information")	
+    }).Info("Version Information")
 
     moduleMgr := module.NewModuleManager()
     var srv *server.Server

cmd/sensoroni_test.go

@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.

config/agentconfig.go

@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -12,23 +12,23 @@ package config
 
 import (
   "errors"
-  "os"
   "github.com/security-onion-solutions/securityonion-soc/module"
+  "os"
 )
 
 const DEFAULT_POLL_INTERVAL_MS = 1000
 
 type AgentConfig struct {
-  NodeId                          string                            `json:"nodeId"`
-  Role                            string                            `json:"role"`
-  Description                     string                            `json:"description"`
-  Address                         string                            `json:"address"`
-  Model                           string                            `json:"model"`
-  ServerUrl                       string                            `json:"serverUrl"`
-  VerifyCert                      bool                              `json:"verifyCert"`
-  PollIntervalMs                  int                               `json:"pollIntervalMs"`
-  Modules                         module.ModuleConfigMap            `json:"modules"`
-  ModuleFailuresIgnored           bool                              `json:"moduleFailuresIgnored"`
+  NodeId                string                 `json:"nodeId"`
+  Role                  string                 `json:"role"`
+  Description           string                 `json:"description"`
+  Address               string                 `json:"address"`
+  Model                 string                 `json:"model"`
+  ServerUrl             string                 `json:"serverUrl"`
+  VerifyCert            bool                   `json:"verifyCert"`
+  PollIntervalMs        int                    `json:"pollIntervalMs"`
+  Modules               module.ModuleConfigMap `json:"modules"`
+  ModuleFailuresIgnored bool                   `json:"moduleFailuresIgnored"`
 }
 
 func (config *AgentConfig) Verify() error {
@@ -43,4 +43,4 @@ func (config *AgentConfig) Verify() error {
     err = errors.New("Agent.ServerUrl configuration value is required")
   }
   return err
-}
+}

config/agentconfig_test.go

@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.

config/clientparameters.go

@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -19,6 +19,8 @@ const DEFAULT_MOST_RECENTLY_USED_LIMIT = 5
 type ClientParameters struct {
 	HuntingParams      HuntingParameters `json:"hunt"`
 	AlertingParams     HuntingParameters `json:"alerts"`
+	CasesParams        HuntingParameters `json:"cases"`
+	CaseParams         CaseParameters    `json:"case"`
 	JobParams          HuntingParameters `json:"job"`
 	DocsUrl            string            `json:"docsUrl"`
 	CheatsheetUrl      string            `json:"cheatsheetUrl"`
@@ -30,6 +32,7 @@ type ClientParameters struct {
 	CacheExpirationMs  int               `json:"cacheExpirationMs"`
 	InactiveTools      []string          `json:"inactiveTools"`
 	Tools              []ClientTool      `json:"tools"`
+	CasesEnabled       bool              `json:"casesEnabled"`
 }
 
 func (config *ClientParameters) Verify() error {
@@ -39,6 +42,9 @@ func (config *ClientParameters) Verify() error {
 	if err := config.AlertingParams.Verify(); err != nil {
 		return err
 	}
+	if err := config.CasesParams.Verify(); err != nil {
+		return err
+	}
 	return config.JobParams.Verify()
 }
 
@@ -70,6 +76,7 @@ type HuntingAction struct {
 	Method                string                 `json:"method"`
 	Body                  string                 `json:"body"`
 	Options               map[string]interface{} `json:"options"`
+	Categories            []string               `json:"categories"`
 }
 
 type ToggleFilter struct {
@@ -82,24 +89,24 @@ type ToggleFilter struct {
 }
 
 type HuntingParameters struct {
-	GroupItemsPerPage     int                 `json:"groupItemsPerPage"`
-	GroupFetchLimit       int                 `json:"groupFetchLimit"`
-	EventItemsPerPage     int                 `json:"eventItemsPerPage"`
-	EventFetchLimit       int                 `json:"eventFetchLimit"`
-	RelativeTimeValue     int                 `json:"relativeTimeValue"`
-	RelativeTimeUnit      int                 `json:"relativeTimeUnit"`
-	MostRecentlyUsedLimit int                 `json:"mostRecentlyUsedLimit"`
-	EventFields           map[string][]string `json:"eventFields"`
-	QueryBaseFilter       string              `json:"queryBaseFilter"`
-	QueryToggleFilters    []*ToggleFilter     `json:"queryToggleFilters"`
-	Queries               []*HuntingQuery     `json:"queries"`
-	Actions               []*HuntingAction    `json:"actions"`
-	Advanced              bool                `json:"advanced"`
-	AckEnabled            bool                `json:"ackEnabled"`
-	EscalateEnabled       bool                `json:"escalateEnabled"`
-}
-
-type GridParameters struct {
+	GroupItemsPerPage            int                 `json:"groupItemsPerPage"`
+	GroupFetchLimit              int                 `json:"groupFetchLimit"`
+	EventItemsPerPage            int                 `json:"eventItemsPerPage"`
+	EventFetchLimit              int                 `json:"eventFetchLimit"`
+	RelativeTimeValue            int                 `json:"relativeTimeValue"`
+	RelativeTimeUnit             int                 `json:"relativeTimeUnit"`
+	MostRecentlyUsedLimit        int                 `json:"mostRecentlyUsedLimit"`
+	EventFields                  map[string][]string `json:"eventFields"`
+	QueryBaseFilter              string              `json:"queryBaseFilter"`
+	QueryToggleFilters           []*ToggleFilter     `json:"queryToggleFilters"`
+	Queries                      []*HuntingQuery     `json:"queries"`
+	Actions                      []*HuntingAction    `json:"actions"`
+	Advanced                     bool                `json:"advanced"`
+	AckEnabled                   bool                `json:"ackEnabled"`
+	EscalateEnabled              bool                `json:"escalateEnabled"`
+	EscalateRelatedEventsEnabled bool                `json:"escalateRelatedEventsEnabled"`
+	ViewEnabled                  bool                `json:"viewEnabled"`
+	CreateLink                   string              `json:"createLink"`
 }
 
 func (params *HuntingParameters) Verify() error {
@@ -131,3 +138,25 @@ func (params *HuntingParameters) combineDeprecatedLinkIntoLinks() {
 		}
 	}
 }
+
+type PresetParameters struct {
+	Labels        []string `json:"labels"`
+	CustomEnabled bool     `json:"customEnabled"`
+}
+
+type CaseParameters struct {
+	MostRecentlyUsedLimit  int                         `json:"mostRecentlyUsedLimit"`
+	RenderAbbreviatedCount int                         `json:"renderAbbreviatedCount"`
+	Presets                map[string]PresetParameters `json:"presets"`
+}
+
+func (params *CaseParameters) Verify() error {
+	var err error
+	if params.MostRecentlyUsedLimit < 0 {
+		params.MostRecentlyUsedLimit = 0
+	}
+	return err
+}
+
+type GridParameters struct {
+}