Monitor eth0 and eth1 with zeek and suricata
This commit is contained in:
Chris Long
@@ -377,6 +377,11 @@ install_zeek() {
|
||||
crudini --set $NODECFG proxy host localhost
|
||||
|
||||
# Setup $CPUS numbers of Zeek workers
|
||||
crudini --set $NODECFG worker-eth0 type worker
|
||||
crudini --set $NODECFG worker-eth0 host localhost
|
||||
crudini --set $NODECFG worker-eth0 interface eth0
|
||||
crudini --set $NODECFG worker-eth0 lb_method pf_ring
|
||||
crudini --set $NODECFG worker-eth0 lb_procs "$(nproc)"
|
||||
crudini --set $NODECFG worker-eth1 type worker
|
||||
crudini --set $NODECFG worker-eth1 host localhost
|
||||
crudini --set $NODECFG worker-eth1 interface eth1
|
||||
@@ -391,7 +396,7 @@ install_zeek() {
|
||||
# Configure the Splunk inputs
|
||||
mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf
|
||||
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek
|
||||
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json
|
||||
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype zeek:json
|
||||
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$'
|
||||
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$'
|
||||
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0
|
||||
@@ -464,12 +469,11 @@ install_suricata() {
|
||||
suricata-update enable-source ptresearch/attackdetection
|
||||
|
||||
# Configure the Splunk inputs
|
||||
mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf
|
||||
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata
|
||||
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json
|
||||
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json'
|
||||
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0
|
||||
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0
|
||||
crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata index suricata
|
||||
crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json
|
||||
crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json'
|
||||
crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata disabled 0
|
||||
crudini --set /opt/splunk/etc/apps/search/local/props.conf suricata:json TRUNCATE 0
|
||||
|
||||
# Update suricata and restart
|
||||
suricata-update
|
||||
|
||||
0
Vagrant/resources/GPO/rdp_users/manifest.xml
Normal file → Executable file
0
Vagrant/resources/GPO/rdp_users/manifest.xml
Normal file → Executable file
@@ -69,13 +69,14 @@
|
||||
<title>Zeek Network Traffic by Type</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype</query>
|
||||
<query>| tstats count where index=zeek by source, _time span=1h prestats=t | timechart span=1h count by source useother=f</query>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.chart.stackMode">stacked</option>
|
||||
<option name="charting.drilldown">none</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
@@ -125,16 +126,18 @@
|
||||
<table>
|
||||
<title>http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html</title>
|
||||
<search>
|
||||
<query>index=zeek (dest_port=443 OR dest_port=80)
|
||||
| rename orig_bytes as bytes_out resp_bytes as bytes_in
|
||||
| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip
|
||||
| eval beacon_avg=('beacon_count' / 'total_count')
|
||||
| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out
|
||||
| head 100
|
||||
| eval incount=mvcount(bytes_in)
|
||||
| eventstats avg(beacon_count) as overall_average
|
||||
| eval beacon_percentage=('beacon_count' / 'overall_average')
|
||||
| sort - beacon_percentage</query>
|
||||
<query>index=zeek (dest_port=443 OR dest_port=80) dest_ip!=192.168.0.0/16
|
||||
| rename orig_bytes as bytes_out resp_bytes as bytes_in
|
||||
| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip
|
||||
| eval beacon_avg=('beacon_count' / 'total_count')
|
||||
| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out
|
||||
| eval beacon_avg=('beacon_count' / 'total_count')
|
||||
| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out
|
||||
| eval incount=mvcount(bytes_in)
|
||||
| eventstats avg(beacon_count) as overall_average
|
||||
| eval beacon_percentage=('beacon_count' / 'overall_average')
|
||||
| sort - beacon_percentage
|
||||
| fields - incount,overall_average</query>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</search>
|
||||
@@ -215,4 +218,4 @@
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
</dashboard>
|
||||
</dashboard>
|
||||
@@ -124,11 +124,14 @@ logging:
|
||||
facility: local5
|
||||
format: "[%i] <%d> -- "
|
||||
af-packet:
|
||||
- interface: eth0
|
||||
cluster-id: 98
|
||||
cluster-type: cluster_flow
|
||||
defrag: yes
|
||||
- interface: eth1
|
||||
cluster-id: 99
|
||||
cluster-type: cluster_flow
|
||||
defrag: yes
|
||||
- interface: default
|
||||
pcap-file:
|
||||
checksum-checks: auto
|
||||
app-layer:
|
||||
|
||||
101
ci/copy_to_s3.sh
Normal file
101
ci/copy_to_s3.sh
Normal file
@@ -0,0 +1,101 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# This script is used to prepare DetectionLab to be imported as VM in AWS
|
||||
|
||||
# Configure credentials for awscli
|
||||
aws configure set aws_access_key_id $AWS_ACCESS_KEY
|
||||
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
|
||||
aws configure set default.region us-west-1
|
||||
export BUCKET_NAME="FILL_ME_IN"
|
||||
|
||||
cd /opt/DetectionLab/Vagrant || exit 1
|
||||
echo "Running WinRM Commands to open WinRM on the firewall..."
|
||||
for host in dc wef win10;
|
||||
do
|
||||
echo "Running 'Set-NetFirewallRule -Name WINRM-HTTP-In-TCP -Profile Any' on $host..."
|
||||
vagrant winrm -e -c "Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -Profile Any" -s powershell $host; sleep 2
|
||||
done
|
||||
echo "Running 'Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-NoScope -Profile Any' on win10..."
|
||||
vagrant winrm -c "Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP-NoScope' -Profile Any" -s powershell win10; sleep 2
|
||||
|
||||
echo "Running WinRM Commands to clear the event logs..."
|
||||
for host in dc wef win10;
|
||||
do
|
||||
echo "Clearing event logs on $host..."
|
||||
vagrant winrm -e -s powershell -c "Clear-Eventlog -Log Application, System" $host
|
||||
sleep 2
|
||||
done
|
||||
|
||||
echo "Printing activivation status of all hosts..."
|
||||
for host in dc wef win10;
|
||||
do
|
||||
echo "$host"
|
||||
vagrant winrm -s powershell -c "cscript c:\windows\system32\slmgr.vbs /dlv" $host
|
||||
sleep 2
|
||||
done
|
||||
echo "If you're ready to continue, type y:"
|
||||
read READY
|
||||
|
||||
if [ "$READY" != "y" ]; then
|
||||
echo "Okay, quitting"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#echo "Re-arming WEF"
|
||||
#vagrant winrm -e -s powershell -c "cscript c:\windows\system32\slmgr.vbs /rearm" wef
|
||||
#echo "Activating Win10..."
|
||||
#vagrant winrm -e -s powershell -c "Set-Service TrustedInstaller -StartupType Automatic" win10
|
||||
#sleep 2
|
||||
#vagrant winrm -e -s powershell -c "Start-Service TrustedInstaller" win10
|
||||
#sleep 10
|
||||
#vagrant winrm -e -s powershell -c "cscript c:\windows\system32\slmgr.vbs /ato " win10
|
||||
|
||||
# Stop vagrant and export each box as an OVA
|
||||
cd /opt/DetectionLab/Vagrant || exit 1
|
||||
echo "Halting all VMs..."
|
||||
vagrant halt
|
||||
|
||||
echo "Creating a new tmux session..."
|
||||
sn=tmuxsession
|
||||
tmux new-session -s "$sn" -d
|
||||
tmux new-window -t "$sn:2" -n "dc" -d
|
||||
tmux new-window -t "$sn:3" -n "wef" -d
|
||||
tmux new-window -t "$sn:4" -n "win10" -d
|
||||
if which vmrun; then
|
||||
tmux send-keys -t "$sn:2" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/dc/vmware_desktop/*/WindowsServer2016.vmx /root/dc.ova && echo -n "success" > /root/dc.export || echo "failed" > /root/dc.export' Enter
|
||||
tmux send-keys -t "$sn:3" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/wef/vmware_desktop/*/WindowsServer2016.vmx /root/wef.ova && echo -n "success" > /root/wef.export || echo "failed" > /root/wef.export' Enter
|
||||
tmux send-keys -t "$sn:4" 'ovftool /opt/DetectionLab/Vagrant/.vagrant/machines/win10/vmware_desktop/*/windows_10.vmx /root/win10.ova && echo -n "success" > /root/win10.export || echo "failed" > /root/win10.export' Enter
|
||||
else
|
||||
tmux send-keys -t "$sn:2" 'vboxmanage export dc.windomain.local -o /root/dc.ova && echo -n "success" > /root/dc.export || echo "failed" > /root/dc.export' Enter
|
||||
tmux send-keys -t "$sn:3" 'vboxmanage export wef.windomain.local -o /root/wef.ova && echo -n "success" > /root/wef.export || echo "failed" > /root/wef.export' Enter
|
||||
tmux send-keys -t "$sn:4" 'vboxmanage export win10.windomain.local -o /root/win10.ova && echo -n "success" > /root/win10.export || echo "failed" > /root/win10.export' Enter
|
||||
fi
|
||||
|
||||
# Sleep until all exports are complete
|
||||
while [[ ! -f /root/dc.export || ! -f /root/wef.export || ! -f /root/win10.export ]];
|
||||
do sleep 5
|
||||
echo "Waiting for the OVA export to complete. Sleeping for 5."
|
||||
done
|
||||
|
||||
# Copy each OVA into S3
|
||||
if [[ "$(cat /root/dc.export)" == "success" && "$(cat /root/wef.export)" == "success" && "$(cat /root/win10.export)" == "success" ]]; then
|
||||
for file in dc wef win10
|
||||
do
|
||||
aws s3 cp /root/$file.ova s3://$BUCKET_NAME/disks/
|
||||
done
|
||||
fi
|
||||
|
||||
# Fix the bucket
|
||||
cd /opt/DetectionLab/AWS/Terraform/vm_import || exit 1
|
||||
for file in *.json;
|
||||
do sed -i "s/YOUR_BUCKET_GOES_HERE/$BUCKET_NAME/g" "$file";
|
||||
done
|
||||
|
||||
# Fix the key names
|
||||
for file in *.json;
|
||||
do sed -i 's#"S3Key": "#"S3Key": "disks/#g' "$file";
|
||||
done
|
||||
|
||||
aws ec2 import-image --description "dc" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/dc.json
|
||||
aws ec2 import-image --description "wef" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/wef.json
|
||||
aws ec2 import-image --description "win10" --license-type byol --disk-containers file:///opt/DetectionLab/AWS/Terraform/vm_import/win10.json
|
||||
Reference in New Issue
Block a user