From 6b40e372bde32697183d2fa2663619864e12d41e Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Sat, 11 May 2019 01:42:35 -0700
Subject: [PATCH] Actually include the files

---
 Packer/floppy/PinTo10.exe                   | Bin
 Packer/floppy/WindowsPowershell.lnk         | Bin
 Packer/scripts/MakeWindows10GreatAgain.ps1  |   0
 Packer/scripts/MakeWindows10GreatAgain.reg  |   0
 Packer/scripts/rearm-windows.ps1            |   0
 Packer/scripts/sysprep.bat                  |   0
 Vagrant/bootstrap.sh                        |  31 ++++++++++++++++++--
 Vagrant/scripts/MakeWindows10GreatAgain.ps1 |   4 +++
 Vagrant/scripts/bginfo.bgi                  | Bin 1440 -> 1588 bytes
 9 files changed, 32 insertions(+), 3 deletions(-)
 mode change 100644 => 100755 Packer/floppy/PinTo10.exe
 mode change 100644 => 100755 Packer/floppy/WindowsPowershell.lnk
 mode change 100644 => 100755 Packer/scripts/MakeWindows10GreatAgain.ps1
 mode change 100644 => 100755 Packer/scripts/MakeWindows10GreatAgain.reg
 mode change 100644 => 100755 Packer/scripts/rearm-windows.ps1
 mode change 100644 => 100755 Packer/scripts/sysprep.bat

diff --git a/Packer/floppy/PinTo10.exe b/Packer/floppy/PinTo10.exe
old mode 100644
new mode 100755
diff --git a/Packer/floppy/WindowsPowershell.lnk b/Packer/floppy/WindowsPowershell.lnk
old mode 100644
new mode 100755
diff --git a/Packer/scripts/MakeWindows10GreatAgain.ps1 b/Packer/scripts/MakeWindows10GreatAgain.ps1
old mode 100644
new mode 100755
diff --git a/Packer/scripts/MakeWindows10GreatAgain.reg b/Packer/scripts/MakeWindows10GreatAgain.reg
old mode 100644
new mode 100755
diff --git a/Packer/scripts/rearm-windows.ps1 b/Packer/scripts/rearm-windows.ps1
old mode 100644
new mode 100755
diff --git a/Packer/scripts/sysprep.bat b/Packer/scripts/sysprep.bat
old mode 100644
new mode 100755
diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh
index 3bf497d..39b6fa7 100644
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -131,8 +131,16 @@ install_splunk() {
     # Skip Splunk Tour and Change Password Dialog
     echo "[$(date +%H:%M:%S)]: Disabling the Splunk tour prompt..."
     touch /opt/splunk/etc/.ui_login
-    mkdir /opt/splunk/etc/users/admin/search/local
-    echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/users/admin/search/local/ui-tour.conf
+    mkdir -p /opt/splunk/etc/users/admin/search/local
+    echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/system/local/ui-tour.conf
+    mkdir /opt/splunk/etc/apps/user-prefs/local
+    echo '[general]
+ render_version_messages = 0
+ hideInstrumentationOptInModal = 1
+ dismissedInstrumentationOptInVersion = 2
+ [general_default]
+ hideInstrumentationOptInModal = 1
+ showWhatsNew = 0' > /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
 
     # Enable SSL Login for Splunk
     echo -e "[settings]\nenableSplunkWebSSL = true" > /opt/splunk/etc/system/local/web.conf
@@ -204,13 +212,19 @@ install_bro() {
   SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json
   SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager'
   SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata'
+  SPLUNK_SURICATA_SOURCETYPE='json_suricata'
   echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list
   curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add -
 
   # Update APT repositories
   apt-get -qq -ym update
   # Install tools to build and configure bro
-  apt-get -qq -ym install bro crudini
+  apt-get -qq -ym install bro crudini python-pip
+  export PATH=$PATH:/opt/bro/bin
+  pip install bro-pkg
+  bro-pkg refresh
+  bro-pkg autoconfig
+  bro-pkg install --force salesforce/ja3
   # Load bro scripts
   echo '
   @load protocols/ftp/software
@@ -226,6 +240,7 @@ install_bro() {
   @load policy/protocols/smb
   @load policy/protocols/conn/vlan-logging
   @load policy/protocols/conn/mac-logging
+  @load ja3
 
   redef Intel::read_files += {
     "/opt/bro/etc/intel.dat"
@@ -266,6 +281,7 @@ install_bro() {
   crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype   json_suricata
   crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist   'eve.json'
   crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled   0
+  crudini --set  $SPLUNK_BRO_JSON/local/props.conf  $SPLUNK_SURICATA_SOURCETYPE TRUNCATE    0
 
   # Ensure permissions are correct and restart splunk
   chown -R splunk $SPLUNK_BRO_JSON
@@ -314,9 +330,12 @@ install_suricata() {
   /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SSH
   /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Stats
   /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Flow
+  # Enable JA3 fingerprinting
+  /root/go/bin/yq w -i /etc/suricata/suricata.yaml app-layer.protocols.tls.ja3-fingerprints true
   # AF packet monitoring should be set to eth1
   /root/go/bin/yq w -i /etc/suricata/suricata.yaml af-packet.0.interface eth1
 
+
   crudini --set --format=sh /etc/default/suricata '' iface eth1
   # update suricata signature sources
   suricata-update update-sources
@@ -378,6 +397,11 @@ test_suricata_prerequisites() {
   fi
 }
 
+postinstall_tasks() {
+  # Include Splunk and Bro in the PATH
+  echo export PATH="$PATH:/opt/splunk/bin:/opt/bro/bin" >> ~/.bashrc
+}
+
 main() {
   apt_install_prerequisites
   test_prerequisites
@@ -389,6 +413,7 @@ main() {
   import_osquery_config_into_fleet
   install_suricata
   install_bro
+  postinstall_tasks
 }
 
 main
diff --git a/Vagrant/scripts/MakeWindows10GreatAgain.ps1 b/Vagrant/scripts/MakeWindows10GreatAgain.ps1
index e2c5db2..a1a9508 100644
--- a/Vagrant/scripts/MakeWindows10GreatAgain.ps1
+++ b/Vagrant/scripts/MakeWindows10GreatAgain.ps1
@@ -38,3 +38,7 @@ if (-not (Test-Path $shutUp10RepoPath)) {
 } else {
   Write-Host "ShutUp10 was already installed. Moving On."
 }
+
+# Remove the Edge shortcut from the Desktop
+$lnkPath = "c:\Users\vagrant\Desktop\Microsoft Edge.lnk"
+if (Test-Path $lnkPath) { Remove-Item $lnkPath }
diff --git a/Vagrant/scripts/bginfo.bgi b/Vagrant/scripts/bginfo.bgi
index 88ddfbd5391a06e5d00a13ce79663892239159f0..41c18e3311c322927c8b8c9e2d16860ab635c43b 100755
GIT binary patch
delta 605
zcmZWn!D`z;5M5bzp=x|e!I1W_xi;99Y(vu0mKuj97YET0O6XkH(#T#SX~k+~rIb=b
zL)v4*{y;yX$NWkzIVaE$=%MR`CP6to-o6>$+u31%J^H=$v$b;c{ReqS2=PVE6&ER~
z8?nIO6VI=`#glJ)Uu#AZ;uw5jah$OXC9#a!G60w*C6m~mid@0&)Eq<lPQ)R~9NIHB
zkt|gpF&BjlFo%+-p(t}0v*2JNMUjS`agved-EcF@%@}4By=*<Ph<<LJT4(ygT6I!U
z@IWLPQ+lcPasM+sg9)Z6nG%w|=fM=iu1h_)<957tuh;(qGmhnfxw#KT;L)Z78IvJI
zyxrZ{a3SVbqz<nrh&&iWlz033yw;6|{@zPaYz&zc3Ij!7naZ30%3UNiolT5b5i7dI
z6qf8$#Zc+qGj9)l?b|KKFx^EtL#bceL%q`It!<mF(jAsyCGw_z8>S!IFZ61CeSb6<
z(m@!So#z$TozAWA`UN8vOnHiQQzVS1Ro`_}59%#FYOLvFyQlxyp1!QN_1u1-4;xRL
Miw{ApIhil`A0lwS?EnA(

delta 422
zcmdnOvw(YoxD*2rZ~}2aesN|=W_}(63y=fC|0Ws+Fde9#*c>Vc;(`Dd5Qit`<P;<p
zq!uwS0(l@j*@{t09!N9r0Wn-Uv>2!aW)|b*V#Ym;eUlBC6eq_pMa9LGWu}&AXXd4t
z#FQo*#uOwLrNpFV>Ka*C7{ugcf~mryn34)GD>=<DCMl+%D8D2%xg;j7*vP~{!Nw!M
zxJ1D(F*nr?CSw4W0+}`WIg{*UerBV|nJku*Z!jBA&SSMy4^AyA%S=vH2uMuMwu&i9
zgqx^fgDf?9I;-R4MJ(nDKKbeSc?uw@)FL$XV5!LmnZ>0&T@}Joi;984hNi^Rb#gze
zgeuH!KszdnOHy+cLMjW8T?}+AFW2Nttj3eMS&S!pvT9G}W|QFog(YJHLj#Bg0G;@K
AvH$=8