From 2023e54ece792bb817f3121195f014647ef15d71 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Tue, 5 Jan 2021 21:56:00 -0800 Subject: [PATCH] Monitor eth0 and eth1 with zeek and suricata --- Vagrant/logger_bootstrap.sh | 18 ++-- Vagrant/resources/GPO/rdp_users/manifest.xml | 0 .../splunk_server/logger_dashboard.xml | 27 ++--- Vagrant/resources/suricata/suricata.yaml | 5 +- ci/copy_to_s3.sh | 101 ++++++++++++++++++ 5 files changed, 131 insertions(+), 20 deletions(-) mode change 100644 => 100755 Vagrant/resources/GPO/rdp_users/manifest.xml create mode 100644 ci/copy_to_s3.sh diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh index 82914e3..908b956 100644 --- a/Vagrant/logger_bootstrap.sh +++ b/Vagrant/logger_bootstrap.sh @@ -377,6 +377,11 @@ install_zeek() { crudini --set $NODECFG proxy host localhost # Setup $CPUS numbers of Zeek workers + crudini --set $NODECFG worker-eth0 type worker + crudini --set $NODECFG worker-eth0 host localhost + crudini --set $NODECFG worker-eth0 interface eth0 + crudini --set $NODECFG worker-eth0 lb_method pf_ring + crudini --set $NODECFG worker-eth0 lb_procs "$(nproc)" crudini --set $NODECFG worker-eth1 type worker crudini --set $NODECFG worker-eth1 host localhost crudini --set $NODECFG worker-eth1 interface eth1 @@ -391,7 +396,7 @@ install_zeek() { # Configure the Splunk inputs mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek - crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype zeek:json crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$' crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$' crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0 @@ -464,12 +469,11 @@ install_suricata() { suricata-update enable-source ptresearch/attackdetection # Configure the Splunk inputs - mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json' - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0 - crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0 + crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata index suricata + crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json + crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json' + crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata disabled 0 + crudini --set /opt/splunk/etc/apps/search/local/props.conf suricata:json TRUNCATE 0 # Update suricata and restart suricata-update diff --git a/Vagrant/resources/GPO/rdp_users/manifest.xml b/Vagrant/resources/GPO/rdp_users/manifest.xml old mode 100644 new mode 100755 diff --git a/Vagrant/resources/splunk_server/logger_dashboard.xml b/Vagrant/resources/splunk_server/logger_dashboard.xml index 2e74211..d1720ff 100644 --- a/Vagrant/resources/splunk_server/logger_dashboard.xml +++ b/Vagrant/resources/splunk_server/logger_dashboard.xml @@ -69,13 +69,14 @@ Zeek Network Traffic by Type - index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype + | tstats count where index=zeek by source, _time span=1h prestats=t | timechart span=1h count by source useother=f -24h@h now + @@ -125,16 +126,18 @@ http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html - index=zeek (dest_port=443 OR dest_port=80) -| rename orig_bytes as bytes_out resp_bytes as bytes_in -| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip -| eval beacon_avg=('beacon_count' / 'total_count') -| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out -| head 100 -| eval incount=mvcount(bytes_in) -| eventstats avg(beacon_count) as overall_average -| eval beacon_percentage=('beacon_count' / 'overall_average') -| sort - beacon_percentage + index=zeek (dest_port=443 OR dest_port=80) dest_ip!=192.168.0.0/16 +| rename orig_bytes as bytes_out resp_bytes as bytes_in +| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip +| eval beacon_avg=('beacon_count' / 'total_count') +| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out +| eval beacon_avg=('beacon_count' / 'total_count') +| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out +| eval incount=mvcount(bytes_in) +| eventstats avg(beacon_count) as overall_average +| eval beacon_percentage=('beacon_count' / 'overall_average') +| sort - beacon_percentage +| fields - incount,overall_average -24h@h now @@ -215,4 +218,4 @@ - + \ No newline at end of file diff --git a/Vagrant/resources/suricata/suricata.yaml b/Vagrant/resources/suricata/suricata.yaml index 294ee5e..849a400 100644 --- a/Vagrant/resources/suricata/suricata.yaml +++ b/Vagrant/resources/suricata/suricata.yaml @@ -124,11 +124,14 @@ logging: facility: local5 format: "[%i] <%d> -- " af-packet: + - interface: eth0 + cluster-id: 98 + cluster-type: cluster_flow + defrag: yes - interface: eth1 cluster-id: 99 cluster-type: cluster_flow defrag: yes - - interface: default pcap-file: checksum-checks: auto app-layer: diff --git a/ci/copy_to_s3.sh b/ci/copy_to_s3.sh new file mode 100644 index 0000000..611b8b8 --- /dev/null +++ b/ci/copy_to_s3.sh @@ -0,0 +1,101 @@ +#!/usr/bin/env bash + +# This script is used to prepare DetectionLab to be imported as VM in AWS + +# Configure credentials for awscli +aws configure set aws_access_key_id $AWS_ACCESS_KEY +aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY +aws configure set default.region us-west-1 +export BUCKET_NAME="FILL_ME_IN" + +cd /opt/DetectionLab/Vagrant || exit 1 +echo "Running WinRM Commands to open WinRM on the firewall..." +for host in dc wef win10; +do + echo "Running 'Set-NetFirewallRule -Name WINRM-HTTP-In-TCP -Profile Any' on $host..." + vagrant winrm -e -c "Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -Profile Any" -s powershell $host; sleep 2 +done +echo "Running 'Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-NoScope -Profile Any' on win10..." +vagrant winrm -c "Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP-NoScope' -Profile Any" -s powershell win10; sleep 2 + +echo "Running WinRM Commands to clear the event logs..." +for host in dc wef win10; +do + echo "Clearing event logs on $host..." + vagrant winrm -e -s powershell -c "Clear-Eventlog -Log Application, System" $host + sleep 2 +done + +echo "Printing activivation status of all hosts..." +for host in dc wef win10; +do + echo "$host" + vagrant winrm -s powershell -c "cscript c:\windows\system32\slmgr.vbs /dlv" $host + sleep 2 +done +echo "If you're ready to continue, type y:" +read READY + +if [ "$READY" != "y" ]; then + echo "Okay, quitting" + exit 1 +fi + +#echo "Re-arming WEF" +#vagrant winrm -e -s powershell -c "cscript c:\windows\system32\slmgr.vbs /rearm" wef +#echo "Activating Win10..." +#vagrant winrm -e -s powershell -c "Set-Service TrustedInstaller -StartupType Automatic" win10 +#sleep 2 +#vagrant winrm -e -s powershell -c "Start-Service TrustedInstaller" win10 +#sleep 10 +#vagrant winrm -e -s powershell -c "cscript c:\windows\system32\slmgr.vbs /ato " win10 + +# Stop vagrant and export each box as an OVA +cd /opt/DetectionLab/Vagrant || exit 1 +echo "Halting all VMs..." +vagrant halt + +echo "Creating a new tmux session..." +sn=tmuxsession +tmux new-session -s "$sn" -d +tmux new-window -t "$sn:2" -n "dc" -d +tmux new-window -t "$sn:3" -n "wef" -d +tmux new-window -t "$sn:4" -n "win10" -d +if which vmrun; then + tmux send-keys -t "$sn:2" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/dc/vmware_desktop/*/WindowsServer2016.vmx /root/dc.ova && echo -n "success" > /root/dc.export || echo "failed" > /root/dc.export' Enter + tmux send-keys -t "$sn:3" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/wef/vmware_desktop/*/WindowsServer2016.vmx /root/wef.ova && echo -n "success" > /root/wef.export || echo "failed" > /root/wef.export' Enter + tmux send-keys -t "$sn:4" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/win10/vmware_desktop/*/windows_10.vmx /root/win10.ova && echo -n "success" > /root/win10.export || echo "failed" > /root/win10.export' Enter +else + tmux send-keys -t "$sn:2" 'vboxmanage export dc.windomain.local -o /root/dc.ova && echo -n "success" > /root/dc.export || echo "failed" > /root/dc.export' Enter + tmux send-keys -t "$sn:3" 'vboxmanage export wef.windomain.local -o /root/wef.ova && echo -n "success" > /root/wef.export || echo "failed" > /root/wef.export' Enter + tmux send-keys -t "$sn:4" 'vboxmanage export win10.windomain.local -o /root/win10.ova && echo -n "success" > /root/win10.export || echo "failed" > /root/win10.export' Enter +fi + +# Sleep until all exports are complete +while [[ ! -f /root/dc.export || ! -f /root/wef.export || ! -f /root/win10.export ]]; + do sleep 5 + echo "Waiting for the OVA export to complete. Sleeping for 5." +done + +# Copy each OVA into S3 +if [[ "$(cat /root/dc.export)" == "success" && "$(cat /root/wef.export)" == "success" && "$(cat /root/win10.export)" == "success" ]]; then + for file in dc wef win10 + do + aws s3 cp /root/$file.ova s3://$BUCKET_NAME/disks/ + done +fi + +# Fix the bucket +cd /opt/DetectionLab/AWS/Terraform/vm_import || exit 1 +for file in *.json; + do sed -i "s/YOUR_BUCKET_GOES_HERE/$BUCKET_NAME/g" "$file"; +done + +# Fix the key names +for file in *.json; + do sed -i 's#"S3Key": "#"S3Key": "disks/#g' "$file"; +done + +aws ec2 import-image --description "dc" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/dc.json +aws ec2 import-image --description "wef" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/wef.json +aws ec2 import-image --description "win10" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/win10.json