Added bro and suricata to the logger vagrant
configured splunk to ingest both bro and suricata logs reconfigured logger vagrant box to have 2 CPUs and 4GB of RAM
This commit is contained in:
Jeff Beley
9
Vagrant/Vagrantfile
vendored
9
Vagrant/Vagrantfile
vendored
@@ -13,16 +13,17 @@ Vagrant.configure("2") do |config|
|
||||
end
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
v.memory = 2048
|
||||
v.cpus = 1
|
||||
v.memory = 4096
|
||||
v.cpus = 2
|
||||
v.gui = true
|
||||
end
|
||||
|
||||
cfg.vm.provider "virtualbox" do |vb, override|
|
||||
vb.gui = true
|
||||
vb.customize ["modifyvm", :id, "--memory", 2048]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 1]
|
||||
vb.customize ["modifyvm", :id, "--memory", 4096]
|
||||
vb.customize ["modifyvm", :id, "--cpus", 2]
|
||||
vb.customize ["modifyvm", :id, "--vram", "32"]
|
||||
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
|
||||
vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
|
||||
vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
|
||||
end
|
||||
|
||||
@@ -88,6 +88,8 @@ install_splunk() {
|
||||
/opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk add index sysmon -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk add index powershell -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk add index bro -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
|
||||
# Add a Splunk TCP input on port 9997
|
||||
@@ -215,6 +217,148 @@ install_caldera() {
|
||||
fi
|
||||
}
|
||||
|
||||
install_bro() {
|
||||
# environment variables
|
||||
BRO_VERSION=2.5.4
|
||||
BRO_SRC=/usr/src/bro
|
||||
NODECFG=/opt/bro/etc/node.cfg
|
||||
SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json
|
||||
SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager'
|
||||
SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata'
|
||||
|
||||
# update APT repositories
|
||||
apt-get -qq -ym update
|
||||
# install tools to build and configure bro
|
||||
apt-get -qq -ym install crudini \
|
||||
build-essential \
|
||||
git \
|
||||
unzip \
|
||||
python-pip \
|
||||
flex \
|
||||
libpcap-dev \
|
||||
flex \
|
||||
bison \
|
||||
libpcap-dev \
|
||||
swig \
|
||||
cmake \
|
||||
libssl-dev \
|
||||
devscripts
|
||||
|
||||
# grab bro from github and build and install
|
||||
git clone --recursive --branch v$BRO_VERSION git://git.bro.org/bro $BRO_SRC
|
||||
cd $BRO_SRC
|
||||
./configure --disable-broker --prefix=/opt/bro
|
||||
make
|
||||
make install
|
||||
|
||||
# load bro scripts
|
||||
cat<<EOF >> /opt/bro/share/bro/site/local.bro
|
||||
|
||||
@load protocols/ftp/software
|
||||
@load protocols/smtp/software
|
||||
@load protocols/ssh/software
|
||||
@load protocols/http/software
|
||||
|
||||
@load tuning/json-logs
|
||||
@load policy/integration/collective-intel
|
||||
@load policy/frameworks/intel/do_notice
|
||||
|
||||
@load frameworks/intel/seen
|
||||
@load frameworks/intel/do_notice
|
||||
@load frameworks/files/hash-all-files
|
||||
|
||||
@load policy/protocols/smb
|
||||
|
||||
@load policy/protocols/conn/vlan-logging
|
||||
|
||||
@load policy/protocols/conn/mac-logging
|
||||
|
||||
redef Intel::read_files += {
|
||||
"/opt/bro/etc/intel.dat"
|
||||
};
|
||||
|
||||
EOF
|
||||
|
||||
|
||||
# configure bro
|
||||
crudini --del $NODECFG bro
|
||||
crudini --set $NODECFG manager type manager
|
||||
crudini --set $NODECFG manager host localhost
|
||||
crudini --set $NODECFG proxy type proxy
|
||||
crudini --set $NODECFG proxy host localhost
|
||||
CPUS=$(lscpu -e |awk /yes/'{print $1'} |wc -l)
|
||||
|
||||
# setup $CPUS numbers of bro workers
|
||||
for i in eth1
|
||||
do
|
||||
crudini --set $NODECFG worker-$i type worker
|
||||
crudini --set $NODECFG worker-$i host localhost
|
||||
crudini --set $NODECFG worker-$i interface $i
|
||||
crudini --set $NODECFG worker-$i lb_method pf_ring
|
||||
crudini --set $NODECFG worker-$i lb_procs $CPUS
|
||||
done
|
||||
|
||||
# setup bro to run at boot
|
||||
cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service
|
||||
|
||||
for i in bro
|
||||
do
|
||||
systemctl enable $i
|
||||
systemctl start $i
|
||||
done
|
||||
|
||||
# setup splunk TA to ingest bro and suricata data
|
||||
git clone https://github.com/jahshuah/splunk-ta-bro-json $SPLUNK_BRO_JSON
|
||||
|
||||
mkdir -p $SPLUNK_BRO_JSON/local
|
||||
cp $SPLUNK_BRO_JSON/default/inputs.conf $SPLUNK_BRO_JSON/local/inputs.conf
|
||||
|
||||
|
||||
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR index bro
|
||||
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR sourcetype json_bro
|
||||
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR whitelist '.*\.log$'
|
||||
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR blacklist '.*(communication|stderr)\.log$'
|
||||
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR disabled 0
|
||||
|
||||
|
||||
|
||||
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
|
||||
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype json_suricata
|
||||
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
|
||||
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
|
||||
|
||||
# ensure permissions are correct and restart splunk
|
||||
chown -R splunk $SPLUNK_BRO_JSON
|
||||
/opt/splunk/bin/splunk restart
|
||||
}
|
||||
|
||||
install_suricata() {
|
||||
# install yq to maniuplate the suricata.yaml inline
|
||||
/usr/bin/go get -u github.com/mikefarah/yq
|
||||
# install suricata
|
||||
add-apt-repository -y ppa:oisf/suricata-stable
|
||||
apt-get -qq -y update && apt-get -qq -y install suricata crudini
|
||||
# install suricata-update
|
||||
pip3.6 install --pre --upgrade suricata-update
|
||||
# add DC_SERVERS variable to suricata.yaml in support et-open signatures
|
||||
/root/go/bin/yq w -i /etc/suricata/suricata.yaml vars.address-groups.DC_SERVERS '$HOME_NET'
|
||||
crudini --set --format=sh /etc/default/suricata '' iface eth1
|
||||
# update suricata signature sources
|
||||
suricata-update update-sources
|
||||
# disable protocol decode as it is duplicative of bro
|
||||
echo re:protocol-command-decode >> /etc/suricata/disable.conf
|
||||
# enable et-open and attackdetection sources
|
||||
for i in et/open ptresearch/attackdetection
|
||||
do
|
||||
suricata-update enable-source $i
|
||||
|
||||
done
|
||||
# update suricata and restart
|
||||
suricata-update
|
||||
systemctl restart suricata
|
||||
|
||||
}
|
||||
|
||||
main() {
|
||||
install_mongo_db_apt_key
|
||||
apt_install_prerequisites
|
||||
@@ -226,6 +370,8 @@ main() {
|
||||
download_palantir_osquery_config
|
||||
import_osquery_config_into_fleet
|
||||
install_caldera
|
||||
install_suricata
|
||||
install_bro
|
||||
}
|
||||
|
||||
main
|
||||
|
||||
Reference in New Issue
Block a user