Initial Support - Detections Module

Dockerfile

@@ -6,7 +6,7 @@
 
 FROM ghcr.io/security-onion-solutions/golang:1.21.5-alpine as builder
 ARG VERSION=0.0.0
-RUN apk update && apk add libpcap-dev bash git musl-dev gcc npm python3 py3-pip py3-virtualenv
+RUN apk update && apk add libpcap-dev bash git musl-dev gcc npm python3 py3-pip py3-virtualenv python3-dev openssl-dev linux-headers
 COPY . /build
 WORKDIR /build
 RUN if [ "$VERSION" != "0.0.0" ]; then mkdir gitdocs && cd gitdocs && \
@@ -22,6 +22,9 @@ RUN if [ "$VERSION" != "0.0.0" ]; then mkdir gitdocs && cd gitdocs && \
 RUN npm install jest jest-environment-jsdom --global
 RUN ./build.sh "$VERSION"
 
+RUN pip3 install sigma-cli pysigma-backend-elasticsearch pysigma-pipeline-windows yara-python --break-system-packages
+RUN sed -i 's/#!\/usr\/bin\/python3/#!\/usr\/bin\/env python/g' /usr/bin/sigma
+
 FROM ghcr.io/security-onion-solutions/python:3-slim
 
 ARG UID=939
@@ -30,7 +33,7 @@ ARG VERSION=0.0.0
 ARG ELASTIC_VERSION=0.0.0
 ARG WAZUH_VERSION=0.0.0
 
-RUN apt update -y 
+RUN apt update -y
 RUN apt install -y bash tzdata ca-certificates wget curl tcpdump unzip tshark
 RUN update-ca-certificates
 RUN addgroup --gid "$GID" socore
@@ -46,6 +49,8 @@ COPY --from=builder /build/LICENSE .
 COPY --from=builder /build/README.md .
 COPY --from=builder /build/sensoroni.json .
 COPY --from=builder /build/gitdocs/_build/html ./html/docs
+COPY --from=builder /usr/lib/python3.11/site-packages /usr/local/lib/python3.9/site-packages
+COPY --from=builder /usr/bin/sigma /usr/bin/sigma
 RUN find html/js -name "*test*.js" -delete
 RUN chmod u+x scripts/*
 RUN chown 939:939 scripts/*

agent/jobmanager_test.go

@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package agent
 
 import (

config/clientparameters.go

@@ -16,24 +16,27 @@ const DEFAULT_CHART_LABEL_OTHER_LIMIT = 10
 const DEFAULT_CHART_LABEL_FIELD_SEPARATOR = ", "
 
 type ClientParameters struct {
-	HuntingParams       HuntingParameters `json:"hunt"`
-	AlertingParams      HuntingParameters `json:"alerts"`
-	CasesParams         HuntingParameters `json:"cases"`
-	CaseParams          CaseParameters    `json:"case"`
-	DashboardsParams    HuntingParameters `json:"dashboards"`
-	JobParams           HuntingParameters `json:"job"`
-	DocsUrl             string            `json:"docsUrl"`
-	CheatsheetUrl       string            `json:"cheatsheetUrl"`
-	ReleaseNotesUrl     string            `json:"releaseNotesUrl"`
-	GridParams          GridParameters    `json:"grid"`
-	WebSocketTimeoutMs  int               `json:"webSocketTimeoutMs"`
-	TipTimeoutMs        int               `json:"tipTimeoutMs"`
-	ApiTimeoutMs        int               `json:"apiTimeoutMs"`
-	CacheExpirationMs   int               `json:"cacheExpirationMs"`
-	InactiveTools       []string          `json:"inactiveTools"`
-	Tools               []ClientTool      `json:"tools"`
-	CasesEnabled        bool              `json:"casesEnabled"`
-	EnableReverseLookup bool              `json:"enableReverseLookup"`
+	HuntingParams       HuntingParameters   `json:"hunt"`
+	AlertingParams      HuntingParameters   `json:"alerts"`
+	CasesParams         HuntingParameters   `json:"cases"`
+	CaseParams          CaseParameters      `json:"case"`
+	DashboardsParams    HuntingParameters   `json:"dashboards"`
+	JobParams           HuntingParameters   `json:"job"`
+	DetectionsParams    HuntingParameters   `json:"detections"`
+	DetectionParams     DetectionParameters `json:"detection"`
+	PlaybooksParams     HuntingParameters   `json:"playbooks"`
+	DocsUrl             string              `json:"docsUrl"`
+	CheatsheetUrl       string              `json:"cheatsheetUrl"`
+	ReleaseNotesUrl     string              `json:"releaseNotesUrl"`
+	GridParams          GridParameters      `json:"grid"`
+	WebSocketTimeoutMs  int                 `json:"webSocketTimeoutMs"`
+	TipTimeoutMs        int                 `json:"tipTimeoutMs"`
+	ApiTimeoutMs        int                 `json:"apiTimeoutMs"`
+	CacheExpirationMs   int                 `json:"cacheExpirationMs"`
+	InactiveTools       []string            `json:"inactiveTools"`
+	Tools               []ClientTool        `json:"tools"`
+	CasesEnabled        bool                `json:"casesEnabled"`
+	EnableReverseLookup bool                `json:"enableReverseLookup"`
 }
 
 func (config *ClientParameters) Verify() error {
@@ -186,3 +189,16 @@ type GridParameters struct {
 	MaxUploadSize  uint64 `json:"maxUploadSize,omitempty"`
 	StaleMetricsMs uint64 `json:"staleMetricsMs,omitempty"`
 }
+
+type DetectionParameters struct {
+	HuntingParameters
+	Presets              map[string]PresetParameters `json:"presets"`
+	SeverityTranslations map[string]string           `json:"severityTranslations"`
+}
+
+func (params *DetectionParameters) Verify() error {
+	err := params.HuntingParameters.Verify()
+
+	return err
+
+}

config/config.go

@@ -44,5 +44,6 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 			err = cfg.Server.Verify()
 		}
 	}
+
 	return cfg, err
 }

go.mod

@@ -1,6 +1,6 @@
 module github.com/security-onion-solutions/securityonion-soc
 
-go 1.20
+go 1.21
 
 require (
 	github.com/apex/log v1.9.0
@@ -20,19 +20,39 @@ require (
 )
 
 require (
+	github.com/go-git/go-git/v5 v5.11.0
+	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
 	github.com/tj/assert v0.0.3
+	go.uber.org/mock v0.3.0
 )
 
 require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
-	github.com/oapi-codegen/runtime v1.1.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/oapi-codegen/runtime v1.0.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 )