Merge branch 'master' of baltig.sandia.gov:scot/SCOT

Author: brymon68

bin/update_incidents.pl

@@ -0,0 +1,45 @@
+#!/usr/bin/env perl
+
+use MongoDB;
+use Data::Dumper;
+use v5.18;
+
+my $mongo       = MongoDB->connect->db('scot-prod');
+my $collection  = $mongo->get_collection('incident');
+my $cursor      = $collection->find({});
+
+print "starting...\n";
+print $cursor->count . " incident records\n";
+my %lookup  = ();
+
+while (my $incident = $cursor->next) {
+
+    my $id       = $incident->{id};
+    print "...incident $id\n";
+
+    my %data    = (
+        reportable          => $incident->{reportable},
+        type                => $incident->{type},
+        category            => $incident->{category},
+        security_category   => $incident->{security_category},
+        sensitivity         => $incident->{sensitivity},
+        doe_report_id       => $incident->{doe_report_id},
+    );
+
+    my %newinc  = (
+        id              => $id,
+        created         => $incident->{created},
+        updated         => $incident->{updated},
+        occurred        => $incident->{occurred},
+        discovered      => $incident->{discovered},
+        reported        => $incident->{reported},
+        when            => $incident->{when} // 0,
+        subject         => $incident->{subject},
+        promoted_from   => $incident->{promoted_from},
+        data_fmt_ver    => "incident_v2",
+        data            => \%data,
+    );
+
+    $collection->update_one({id => $id}, \%newinc);
+
+}

demo/demo2.pl

@@ -2,13 +2,17 @@
 
 use lib '/opt/scot/lib';
 use Scot::Util::ScotClient;
+use Scot::Env;
 use MIME::Base64;
 use Data::Dumper;
 use JSON;
 use strict;
 use warnings;
 use v5.18;
 
+my $env = Scot::Env->new({
+    config_file => '/opt/scot/etc/scot.cfg.pl',
+});
 
 my %users = (
     admin       => '61E4663E-6CAB-11E7-B011-FEE80D183886',
@@ -26,6 +30,7 @@
         auth_type   => 'apikey',
         api_key => $users{$user},
         servername => 'scotdemo.com',
+        env         => $env,
         config  => {
 
        },

docker-configs/flair/flair.cfg.pl

@@ -20,9 +20,11 @@
         logfile         => '/var/log/scot/scot.flair.log',
         log_level       => 'DEBUG',
     },
+    ## Flair.pm needs to know how to connect to the ActiveMQ topic
     stomp_host  => "activemq",
     stomp_port  => 61613,
     topic       => "/topic/scot",
+    ## updates to flair-ed entries and alerts will be done by this account
     default_owner   => "scot-admin",
     # modules used by flair app
     modules => [
@@ -43,7 +45,7 @@
             attr    => 'scot',
             class   => 'Scot::Util::ScotClient',
             config  => {
-                servername  => 'localhost',
+                servername  => 'scot',
                 # username with sufficient scot perms to create alert(groups)
                 username    => 'scot-alerts',
                 # the password for that user
@@ -127,4 +129,8 @@
             },
         },  
     ],
+    # future use:
+    location                => "scot_demo",
+    site_identifier         => "scot_demo",
+    default_share_policy    => "none",
 );

docker-configs/mail/alert.cfg.pl

@@ -1,13 +1,35 @@
+####
+#### alert.cfg.pl
+####
+#### Used to configure the SCOT email alert input program
+#### bin/alert.pl which uses Scot::App::Mail
+####
+
 %environment = (
+
+    ## See perl DateTime documenation for values matching your locale
     time_zone   => 'America/Denver',
+
+    ## Set up Scot Logging to your liking.  See Log::Log4perl documentaton
+    ## for details on layout and log_level.  By default, log_level of DEBUB
+    ## is very verbose, but is probably the level you want to be able to 
+    ## figure out an error after it occurs.
     log_config  => {
         logger_name     => 'SCOT',
         layout          => '%d %7p [%P] %15F{1}: %4L %m%n',
         appender_name   => 'scot_log',
         logfile         => '/var/log/scot/scot.mail.log',
         log_level       => 'DEBUG',
     },
+
+    ## MODULES
+    ## Each hash in the following array, will result in an attribute
+    ## being created in the Scot/Env.pm module that points to the class
+    ## described.  if you ever get a "cant find foo in Scot::Env" you might
+    ## be missing something here
+
     modules => [
+        ## describe to SCOT how to talk to your imap server
         {
             attr    => 'imap',
             class   => 'Scot::Util::Imap',
@@ -25,6 +47,7 @@
                 ignore_size_errors  => 1,        # ignore_size_errors 
             },
         },
+        ## describe how for the Scot Perl client to find the SCOT server
         {
             attr    => 'scot',
             class   => 'Scot::Util::ScotClient',
@@ -38,6 +61,7 @@
                 authtype    => 'Local',
             },
         },
+        ## mongodb connection information
         {
             attr    => 'mongo',
             class   => 'Scot::Util::MongoFactory',
@@ -48,6 +72,7 @@
                 find_master     => 1,
             },
         },
+        ## ActiveMQ connection info
         {
             attr    => 'mq',
             class   => 'Scot::Util::Messageq',
@@ -57,6 +82,7 @@
                 stomp_port  => 61613,
             },
         },
+        ## Elasticsearch connection info
         {
             attr    => 'es',
             class   => 'Scot::Util::ElasticSearch',
@@ -66,8 +92,12 @@
             },
         },
     ],
+    ## parser_dir is where to find the modules that can parse the emails
     parser_dir  => '/opt/scot/lib/Scot/Parser',
+    ## alert.pl can utilize rest or direct mongo connection to input data
     get_method      => "mongo",     # other value is "rest"
+    ## leave_unseen = 1 means SCOT will leave emails marked "unread" 
+    ## leave_unseen = 0 means SCOT marks emails read after processing
     leave_unseen    => 1,
     # interactive => [ yes | no ]
     # pauses processing after each message and writes to console 
@@ -76,6 +106,7 @@
     # max_processes => 0 to positive int
     # number of child processes to fork to parse messages in parallel
     # 0 = disable forking and do all messages sequentially
+    # recommendation is 5-10 in production, 0 for testing.
     max_processes   => 0,       
     # fetch_mode    => [ unseen | time ]
     # unseen looks for unseen messages via imap protocol
@@ -91,8 +122,13 @@
     # approved_alert_domains => [ 'domain1\.org', ... ]
     # only domains listed in this array can send email to scot
     # periods need to be escaped by \
-    approved_alert_domains  => [ 'domain.tld' ],
+    approved_alert_domains  => [ 'domain\.tld' ],
     # approve_accounts => [ '[email protected]' ];
     # account in this domain can also send to scot
     approved_accounts   => [ '[email protected]' ],
+
+    # future use:
+    location                => "scot_demo",
+    site_identifier         => "scot_demo",
+    default_share_policy    => "none",
 );

docker-configs/mongodb/mongod.conf

@@ -16,7 +16,7 @@ storage:
 systemLog:
   destination: file
   logAppend: true
-  path: /var/log/mongodb/mongod.log
+  path: /var/log/mongodb/
 
 # network interfaces
 net:

docker-configs/reflair/reflair.cfg.pl

@@ -53,4 +53,8 @@
             },
         },
     ],
+    # future use:
+    location                => "scot_demo",
+    site_identifier         => "scot_demo",
+    default_share_policy    => "none",
 );

docker-configs/scot/scot.cfg.pl

@@ -13,8 +13,6 @@
     # authentication can be "Remoteuser", "Local", or "Ldap"
     auth_type   => 'Local', 
 
-    authclass   => 'Controller::Auth::Local',
-
     # group mode can be "local" or "ldap"
     group_mode  => 'local',
 
@@ -43,6 +41,15 @@
 
     share_after_time    => 10, # minutes
 
+    stomp_host  => "localhost",
+    stomp_port  => 61613,
+    topic       => "/topic/scot",
+
+    # location and site_identifier (future use)
+    location                => 'demosite',
+    site_identifier         => "demosite",
+    default_share_policy    => "none",
+
     # mojo defaults are values for the mojolicious startup
     mojo_defaults   => {
         # change this after install and restart scot
@@ -54,7 +61,7 @@
         # hypnotoad workers, 50-100 heavy use, 20 - 50 light
         # hypnotoad_workers   => 75,
         hypnotoad => {
-            listen  => [ 'http://scot:3000?reuse=1' ],
+            listen  => [ 'http://0.0.0.0:3000?reuse=1' ],
             workers => 20,
             clients => 1,
             proxy   => 1,
@@ -199,24 +206,24 @@
         }, # end enrichments stanza
         #{
         #    attr    => 'ldap',
-        #    class   => 'Scot::Util::Ldap',
-        #    config  => {
-        #        servername  => 'ldap.domain.tld',
-        #        dn          => 'cn=cn_name,ou=local config,dc=tld',
-        #        password    => 'changemenow',
-        #        scheme      => 'ldap',
-        #        group_search    => {
-        #            base    => 'ou=groups,ou=orgname1,dc=dcname1,dc=dcname2,dc=dcname3',
-        #            filter  => '(| (cn=wg-scot*))',
-        #            attrs   => [ 'cn' ],
-        #        },
-        #        user_groups => {
-        #            base    => 'ou=accounts,ou=ouname,dc=dcname1,dc=dcname1,dc=dcname1',
-        #            filter  => 'uid=%s',
-        #            attrs   => ['memberOf'],
-        #        }
-        #    }, # end ldap config
-        #}, # end ldap
+       #     class   => 'Scot::Util::Ldap',
+       #     config  => {
+       #         servername  => 'ldap.domain.tld',
+       #         dn          => 'cn=cn_name,ou=local config,dc=tld',
+       #         password    => 'changemenow',
+       #         scheme      => 'ldap',
+       #         group_search    => {
+       #             base    => 'ou=groups,ou=orgname1,dc=dcname1,dc=dcname2,dc=dcname3',
+       #             filter  => '(| (cn=wg-scot*))',
+       #             attrs   => [ 'cn' ],
+       #         },
+       #         user_groups => {
+       #             base    => 'ou=accounts,ou=ouname,dc=dcname1,dc=dcname1,dc=dcname1',
+       #             filter  => 'uid=%s',
+       #             attrs   => ['memberOf'],
+       #         }
+       #     }, # end ldap config
+       # }, # end ldap
     ],
     entity_regexes  => [],
     #
@@ -309,7 +316,7 @@
                 help    => 'The id of the SCOT datatype that originated this sig',
                 label   => "Reference ID",
             },
-            {
+			{
                 type    => "multi_select",
                 key     => "action",
                 value   => [
@@ -465,6 +472,59 @@
                 help    => "Select Date/Time Incident was closed",
             },
         ],
+        incident_v2 => [
+            {
+                type    => 'dropdown',
+                key     => 'type',
+                value   => [
+                    # place your types here...
+                    { value => "none",      selected => 1 },
+                    { value => "intrusion", selected => 0 },
+                    { value => "malware",   selected => 0 },
+                ],
+                value_type  => {
+                    type    => "static",
+                    url     => undef,
+                    key     => 'type',
+                },
+                label   => "Incident Type",
+                help    => <<'EOF',
+<table>
+  <tr> <th>intrusion</th><td>An intrusion occurred</td> </tr>
+  <tr> <th>malware</th>  <td>Malware detected</td>      </tr>
+</table>
+EOF
+            },
+            {
+                type    => "calendar",
+                key     => "discovered",
+                value   => "",
+                value_type  => {
+                    type    => "static",
+                    url     => undef,
+                    key     => 'discovered',
+                },
+                label   => "Date/Time Discovered",
+                help    => "Select Date/Time Incident was discovered",
+            },
+            {
+                type    => "dropdown",
+                key     => "severity",
+                value   => [
+                    {value => 'NONE', selected => 1},
+                    {value => 'Low', selected => 0},
+                    {value => 'Moderate', selected => 0},
+                    {value => 'High', selected => 0},
+                ],
+                value_type  => {
+                    type    => "static",
+                    url     => undef,
+                    key     => 'severity',
+                },
+                label   => 'Incident severity',
+                help    => "Select best match for incident severity",
+            }, 
+        ],
         guide   => [
             {
                 type    => "input_multi",
@@ -480,4 +540,23 @@
             },
         ],
     }, 
+    dailybrief  => {
+        mail    => {
+            from    => '[email protected]',
+            to      => '[email protected]',
+            host    => 'smtp.yourdomain.com',
+        },
+        url     => 'https://scot.yourdomain.com/'
+    },
+    incident_summary_template   => <<EOF,
+<table>
+    <tr><th>Description</th><td><i>place description of the incident here</i></td></tr>
+    <tr><th>Related Indicators</th><td><i>Place IOC's here</i></td></tr>
+    <tr><th>Source Details</th><td><i>Place wource port, ip, protocol, etc. here</i></td></tr>
+    <tr><th>Compromised System Details</th><td><i>Place details about compromised System here</i></td></tr>
+    <tr><th>Recovery/Mitigation Actions</th><td><i>Place recovery/mitigation details here</i></td></tr>
+    <tr><th>Physical Location of System</th><td><i>Place the city and State of system location</i></td></tr>
+    <tr><th>Detection Details</th><td><i>Place Source, methods, or tools used to identify incident</i></td></tr>
+</table>
+EOF
 );