Monitor eth0 and eth1 with zeek and suricata

Vagrant/logger_bootstrap.sh

@@ -377,6 +377,11 @@ install_zeek() {
   crudini --set $NODECFG proxy host localhost
 
   # Setup $CPUS numbers of Zeek workers
+  crudini --set $NODECFG worker-eth0 type worker
+  crudini --set $NODECFG worker-eth0 host localhost
+  crudini --set $NODECFG worker-eth0 interface eth0
+  crudini --set $NODECFG worker-eth0 lb_method pf_ring
+  crudini --set $NODECFG worker-eth0 lb_procs "$(nproc)"
   crudini --set $NODECFG worker-eth1 type worker
   crudini --set $NODECFG worker-eth1 host localhost
   crudini --set $NODECFG worker-eth1 interface eth1
@@ -391,7 +396,7 @@ install_zeek() {
   # Configure the Splunk inputs
   mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf
   crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek
-  crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json
+  crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype zeek:json
   crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$'
   crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$'
   crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0
@@ -464,12 +469,11 @@ install_suricata() {
   suricata-update enable-source ptresearch/attackdetection
 
   # Configure the Splunk inputs
-  mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf
+  crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata index suricata
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata
+  crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json
+  crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json'
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json'
+  crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata disabled 0
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0
+  crudini --set /opt/splunk/etc/apps/search/local/props.conf suricata:json TRUNCATE 0
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0
 
   # Update suricata and restart
   suricata-update

Vagrant/resources/splunk_server/logger_dashboard.xml

@@ -69,13 +69,14 @@
       <title>Zeek Network Traffic by Type</title>
       <chart>
         <search>
-          <query>index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype</query>
+          <query>| tstats count where index=zeek by source, _time span=1h prestats=t | timechart span=1h count by source useother=f</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="charting.chart">column</option>
         <option name="charting.chart.stackMode">stacked</option>
         <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
   </row>
@@ -125,16 +126,18 @@
       <table>
         <title>http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html</title>
         <search>
-          <query>index=zeek (dest_port=443 OR dest_port=80)  
+          <query>index=zeek (dest_port=443 OR dest_port=80)  dest_ip!=192.168.0.0/16
-| rename orig_bytes as bytes_out resp_bytes as bytes_in 
+| rename orig_bytes as bytes_out resp_bytes as bytes_in
-| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip 
+| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip
-| eval beacon_avg=('beacon_count' / 'total_count') 
+| eval beacon_avg=('beacon_count' / 'total_count')
-| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out 
+| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out
-| head 100
+| eval beacon_avg=('beacon_count' / 'total_count')
-| eval incount=mvcount(bytes_in) 
+| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out
-| eventstats avg(beacon_count) as overall_average 
+| eval incount=mvcount(bytes_in)
-| eval beacon_percentage=('beacon_count' / 'overall_average') 
+| eventstats avg(beacon_count) as overall_average
-| sort - beacon_percentage</query>
+| eval beacon_percentage=('beacon_count' / 'overall_average')
+| sort - beacon_percentage
+| fields - incount,overall_average</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
@@ -215,4 +218,4 @@
       </chart>
     </panel>
   </row>
-</dashboard>
+</dashboard>

Vagrant/resources/suricata/suricata.yaml

@@ -124,11 +124,14 @@ logging:
       facility: local5
       format: "[%i] <%d> -- "
 af-packet:
+  - interface: eth0
+    cluster-id: 98
+    cluster-type: cluster_flow
+    defrag: yes
   - interface: eth1
     cluster-id: 99
     cluster-type: cluster_flow
     defrag: yes
-  - interface: default
 pcap-file:
   checksum-checks: auto
 app-layer:

ci/copy_to_s3.sh

@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+
+# This script is used to prepare DetectionLab to be imported as VM in AWS
+
+# Configure credentials for awscli
+aws configure set aws_access_key_id $AWS_ACCESS_KEY
+aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
+aws configure set default.region us-west-1
+export BUCKET_NAME="FILL_ME_IN"
+
+cd /opt/DetectionLab/Vagrant || exit 1
+echo "Running WinRM Commands to open WinRM on the firewall..."
+for host in dc wef win10;
+do
+  echo "Running 'Set-NetFirewallRule -Name WINRM-HTTP-In-TCP -Profile Any' on $host..."
+  vagrant winrm -e -c "Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -Profile Any" -s powershell $host; sleep 2
+done
+echo "Running 'Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-NoScope -Profile Any' on win10..."
+vagrant winrm -c "Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP-NoScope' -Profile Any" -s powershell win10; sleep 2
+
+echo "Running WinRM Commands to clear the event logs..."
+for host in dc wef win10;
+do
+  echo "Clearing event logs on $host..."
+  vagrant winrm -e -s powershell -c "Clear-Eventlog -Log Application, System" $host
+  sleep 2
+done
+
+echo "Printing activivation status of all hosts..."
+for host in dc wef win10;
+do
+  echo "$host"
+  vagrant winrm -s powershell -c "cscript c:\windows\system32\slmgr.vbs /dlv" $host
+  sleep 2
+done
+echo "If you're ready to continue, type y:"
+read READY
+
+if [ "$READY" != "y" ]; then
+  echo "Okay, quitting"
+  exit 1
+fi
+
+#echo "Re-arming WEF"
+#vagrant winrm -e -s powershell -c "cscript c:\windows\system32\slmgr.vbs /rearm" wef
+#echo "Activating Win10..."
+#vagrant winrm -e -s powershell -c "Set-Service TrustedInstaller -StartupType Automatic" win10
+#sleep 2
+#vagrant winrm -e -s powershell -c "Start-Service TrustedInstaller" win10
+#sleep 10
+#vagrant winrm -e -s powershell -c "cscript c:\windows\system32\slmgr.vbs /ato " win10
+
+# Stop vagrant and export each box as an OVA
+cd /opt/DetectionLab/Vagrant || exit 1
+echo "Halting all VMs..."
+vagrant halt
+
+echo "Creating a new tmux session..."
+sn=tmuxsession
+tmux new-session -s "$sn" -d
+tmux new-window -t "$sn:2" -n "dc" -d
+tmux new-window -t "$sn:3" -n "wef" -d
+tmux new-window -t "$sn:4" -n "win10" -d
+if which vmrun; then
+  tmux send-keys -t "$sn:2" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/dc/vmware_desktop/*/WindowsServer2016.vmx /root/dc.ova && echo -n "success" > /root/dc.export || echo "failed" > /root/dc.export' Enter
+  tmux send-keys -t "$sn:3" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/wef/vmware_desktop/*/WindowsServer2016.vmx /root/wef.ova && echo -n "success" > /root/wef.export || echo "failed" > /root/wef.export' Enter
+  tmux send-keys -t "$sn:4" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/win10/vmware_desktop/*/windows_10.vmx /root/win10.ova && echo -n "success" > /root/win10.export || echo "failed" > /root/win10.export' Enter
+else
+  tmux send-keys -t "$sn:2" 'vboxmanage export dc.windomain.local -o /root/dc.ova && echo -n "success" > /root/dc.export || echo "failed" > /root/dc.export' Enter
+  tmux send-keys -t "$sn:3" 'vboxmanage export wef.windomain.local -o /root/wef.ova && echo -n "success" > /root/wef.export || echo "failed" > /root/wef.export' Enter
+  tmux send-keys -t "$sn:4" 'vboxmanage export win10.windomain.local -o /root/win10.ova && echo -n "success" > /root/win10.export || echo "failed" > /root/win10.export' Enter
+fi
+
+# Sleep until all exports are complete
+while [[ ! -f /root/dc.export || ! -f /root/wef.export || ! -f /root/win10.export ]];
+  do sleep 5
+  echo "Waiting for the OVA export to complete. Sleeping for 5."
+done
+
+# Copy each OVA into S3
+if [[ "$(cat /root/dc.export)" == "success" && "$(cat /root/wef.export)" == "success" && "$(cat /root/win10.export)" == "success" ]]; then
+  for file in dc wef win10
+  do
+    aws s3 cp /root/$file.ova s3://$BUCKET_NAME/disks/
+  done
+fi
+
+# Fix the bucket
+cd /opt/DetectionLab/AWS/Terraform/vm_import || exit 1
+for file in *.json;
+  do sed -i "s/YOUR_BUCKET_GOES_HERE/$BUCKET_NAME/g" "$file";
+done
+
+# Fix the key names
+for file in *.json;
+  do sed -i 's#"S3Key": "#"S3Key": "disks/#g' "$file";
+done
+
+aws ec2 import-image --description "dc" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/dc.json
+aws ec2 import-image --description "wef" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/wef.json
+aws ec2 import-image --description "win10" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/win10.json