trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

146
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/audit/rules.d/audit.rules Normal file
View File

@@ -0,0 +1,146 @@
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 0
## Set failure mode to syslog
-f 1
# exclusions
-a always,exclude -F msgtype=AVC
-a always,exclude -F msgtype=CRYPTO_KEY_USER
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=EOE
# commands
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/pmount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/pumount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy
-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
-a always,exit -F path=/usr/bin/dotlock.mailutils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/ntfs-3g -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pmount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pumount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/xorg/Xorg.wrap -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
-a always,exit -F path=/usr/sbin/visudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
# privileged files
-w /bin/kmod -p x -k modules
-w /etc/apparmor.d/ -p wa -k MAC-policy
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/hosts -p wa -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/localtime -p wa -k time-change
-w /etc/network -p wa -k system-locale
-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /etc/opasswd -p wa -k usergroup_modification
-w /etc/passwd -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /var/log/btmp -p wa -k session
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/sudo.log -p wa -k sudoaction
-w /var/log/tallylog -p wa -k logins
-w /var/log/wtmp -p wa -k session
-w /var/run/faillock -p wa -k logins
-w /var/run/utmp -p wa -k session
# syscalls
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
# Make the configuration immutable -- reboot is required to change audit rules
-e 2

33
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/bash.bash_aliases Normal file
View File

@@ -0,0 +1,33 @@
# some more ls aliases
# sensor
alias configure-interfaces="su -l -c /usr/local/bin/configure-interfaces.py"
alias configure-capture="/usr/local/bin/configure-capture.py"
#safety
alias mv='mv -i'
alias rm='rm -I -v'
alias cp='cp -i'
alias chmod='chmod --preserve-root'
alias chown='chown --preserve-root'
#convenience
alias ls="ls --block-size=\"'1\" --color=auto --group-directories-first"
alias la='ls -A'
alias l='ls -oah'
alias ll='ls -l --si --color=auto --group-directories-first'
alias lt='ls -ltr'
alias lld='ls -lUd */'
alias lsize='ls -lSrh'
alias df='df -Th'
alias ln='ln -s'
alias ..='cd ..'
alias cd..='cd ..'
alias cd-='cd -'
alias cdp='cd -P'
alias dump='hexdump -C'
alias findbroken='find . -type l ! -exec test -r {} \; -print'
alias utime='date +%s'
alias dutop='du -csh ./* 2>/dev/null | sort -rh'
alias mountcol='mount | column -t'
alias dmesg='dmesg -wHx'

384
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/bash.bash_functions Normal file
View File

@@ -0,0 +1,384 @@
########################################################################
# text processing
########################################################################
function cols () {
first="awk '{print "
last="}'"
cmd="${first}"
commatime=""
for var in "$@"
do
if [ -z $commatime ]
then
commatime="no"
cmd=${cmd}\$${var}
else
cmd=${cmd}\,\$${var}
fi
done
cmd="${cmd}${last}"
eval $cmd
}
function headtail () {
awk -v offset="$1" '{ if (NR <= offset) print; else { a[NR] = $0; delete a[NR-offset] } } END { { print "--------------------------------" } for (i=NR-offset+1; i<=NR; i++) print a[i] }' ;
}
function wait_file() {
local file="$1"; shift
local wait_seconds="${1:-10}"; shift # 10 seconds as default timeout
until test $((wait_seconds--)) -eq 0 -o -f "$file" ; do sleep 1; done
((++wait_seconds))
}
function taildiff () {
LEFT_FILE=$1
RIGHT_FILE=$2
RIGHT_LINES=$(wc -l "$RIGHT_FILE" | cut -d ' ' -f1)
diff -bwBy --suppress-common-lines <(head -n $RIGHT_LINES "$LEFT_FILE") <(head -n $RIGHT_LINES "$RIGHT_FILE")
}
function fs() {
if du -b /dev/null > /dev/null 2>&1; then
local arg=-sbh;
else
local arg=-sh;
fi
if [[ -n "$@" ]]; then
du $arg -- "$@";
else
du $arg .[^.]* ./*;
fi;
}
function lin () {
sed -n $1p
}
function fsize () {
echo "$1" | awk 'function human(x) {
s=" B KiB MiB GiB TiB EiB PiB YiB ZiB"
while (x>=1024 && length(s)>1)
{x/=1024; s=substr(s,5)}
s=substr(s,1,4)
xf=(s==" B ")?"%5d ":"%0.2f"
return sprintf( xf"%s", x, s)
}
{gsub(/^[0-9]+/, human($1)); print}'
}
function multigrep() { local IFS='|'; grep -rinE "$*" . ; }
function ord() { printf "%d\n" "'$1"; }
function chr() { printf \\$(($1/64*100+$1%64/8*10+$1%8))\\n; }
########################################################################
# math
########################################################################
function calc () { python -c "from math import *; n = $1; print n; print '$'+hex(trunc(n))[2:]; print '&'+oct(trunc(n))[1:]; print '%'+bin(trunc(n))[2:];"; }
function add () {
awk '{s+=$1} END {print s}'
}
########################################################################
# directory navigation/file manipulation
########################################################################
function cd() { if [[ "$1" =~ ^\.\.+$ ]];then local a dir;a=${#1};while [ $a -ne 1 ];do dir=${dir}"../";((a--));done;builtin cd $dir;else builtin cd "$@";fi ;}
function fcd() { [ -f $1 ] && { cd $(dirname $1); } || { cd $1 ; } }
function up { cd $(eval printf '../'%.0s {1..$1}) && pwd; }
function realgo() { fcd $(realpath $(which $1)) && pwd ; }
function realwhich() { realpath $(which $1) ; }
function renmod() {
FILENAME="$@";
TIMESTAMP=$(date -d @$(stat -c%Y "$FILENAME") +"%Y%m%d%H%M%S")
mv -iv "$FILENAME" "$FILENAME.$TIMESTAMP"
}
function upto() {
local EXPRESSION="$1"
if [ -z "$EXPRESSION" ]; then
echo "A folder expression must be provided." >&2
return 1
fi
if [ "$EXPRESSION" = "/" ]; then
cd "/"
return 0
fi
local CURRENT_FOLDER="$(pwd)"
local MATCHED_DIR=""
local MATCHING=true
while [ "$MATCHING" = true ]; do
if [[ "$CURRENT_FOLDER" =~ "$EXPRESSION" ]]; then
MATCHED_DIR="$CURRENT_FOLDER"
CURRENT_FOLDER=$(dirname "$CURRENT_FOLDER")
else
MATCHING=false
fi
done
if [ -n "$MATCHED_DIR" ]; then
cd "$MATCHED_DIR"
return 0
else
echo "No Match." >&2
return 1
fi
}
# complete upto
_upto () {
# necessary locals for _init_completion
local cur prev words cword
_init_completion || return
COMPREPLY+=( $( compgen -W "$( echo ${PWD//\// } )" -- $cur ) )
}
complete -F _upto upto
########################################################################
# history
########################################################################
function h() { if [ -z "$1" ]; then history; else history | grep -i "$@"; fi; }
########################################################################
# searching
########################################################################
function fname() { find . -iname "*$@*"; }
########################################################################
# examine running processes
########################################################################
function auxer() {
ps aux | grep -i "$(echo "$1" | sed "s/^\(.\)\(.*$\)/\[\1\]\2/")"
}
function psgrep() { ps axuf | grep -v grep | grep "$@" -i --color=auto; }
function killtree() {
if [ "$1" ]
then
kill $(pstree -p $1 | sed 's/(/\n(/g' | grep '(' | sed 's/(\(.*\)).*/\1/' | tr "\n" " ")
else
echo "No PID specified">&2
fi
}
function howmuchmem () {
PROCNAME="$@";
RAMKILOBYTES=($(ps axo rss,comm|grep $PROCNAME| awk '{ TOTAL += $1 } END { print TOTAL }'));
RAMBYTES=$(echo "$RAMKILOBYTES*1024" | bc);
RAM=$(fsize $RAMBYTES);
echo "$RAM";
}
function mempercent () {
PROCNAME="$@";
ps -eo pmem,comm | grep "$PROCNAME" | awk '{sum+=$1} END {print sum " % of RAM"}'
}
function htopid () {
PROCPID="$1"
htop -p $(pstree -p $PROCPID | perl -ne 'push @t, /\((\d+)\)/g; END { print join ",", @t }')
}
function lport () {
if [ "$1" ]
then
netstat -anp 2>/dev/null|grep "$1"|grep LISTEN|awk '{print $4}'|grep -P -o "\d+"|grep -v "^0$"
else
echo "No process specified">&2
fi
}
########################################################################
# APT package management
########################################################################
function aptsearch() { apt-cache search "$1"; }
function aptsize() {
dpkg-query --show --showformat='${Package;-50}\t${Installed-Size} ${Status}\n' | sort -k 2 -n | grep -v deinstall
}
########################################################################
# date/time
########################################################################
function dateu()
{
if [ "$1" ]
then
echo $(date -u -d @$1);
else
echo "No UNIX time specified">&2
fi
}
function udate()
{
if [ "$1" ]
then
date -u +%s -d "$1"
else
date -u +%s
fi
}
function sec2dhms() {
declare -i SS="$1" D=$(( SS / 86400 )) H=$(( SS % 86400 / 3600 )) M=$(( SS % 3600 / 60 )) S=$(( SS % 60 )) [ "$D" -gt 0 ] && echo -n "${D}:" [ "$H" -gt 0 ] && printf "%02g:" "$H" printf "%02g:%02g\n" "$M" "$S"
}
########################################################################
# system
########################################################################
function ddisousb() {
if [ "$1" ] && [[ -r "$1" ]] ; then
if [ "$2" ] && [[ -r "$2" ]] ; then
echo "dd if=\"$1\" of=\"$2\" bs=4M status=progress oflag=sync"
dd if="$1" of="$2" bs=4M status=progress oflag=sync
else
echo "No destination device specified">&2
fi
else
echo "No iso file specified">&2
fi
}
function find_linux_root_device() {
local PDEVICE=`stat -c %04D /`
for file in $(find /dev -type b 2>/dev/null) ; do
local CURRENT_DEVICE=$(stat -c "%02t%02T" $file)
if [ $CURRENT_DEVICE = $PDEVICE ]; then
ROOTDEVICE="$file"
break;
fi
done
echo "$ROOTDEVICE"
}
function rotationals() {
for f in /sys/block/sd?/queue/rotational; do printf "$f is "; cat $f; done
}
function schedulers() {
for f in /sys/block/sd?/queue/scheduler; do printf "$f is "; cat $f; done
}
function watch_file_size() {
perl -e '
$file = shift; die "no file [$file]" unless ((-f $file) || (-d $file));
$isDir = (-d $file);
$sleep = shift; $sleep = 1 unless $sleep =~ /^[0-9]+$/;
$format = "%0.2f %0.2f\n";
while(1){
if ($isDir) {
$size = `du -0scb $file`;
$size =~ s/\s+.*//;
} else {
$size = ((stat($file))[7]);
}
$change = $size - $lastsize;
printf $format, $size/1024/1024, $change/1024/1024/$sleep;
sleep $sleep;
$lastsize = $size;
}' "$1" "$2"
}
function dux() {
du -x --max-depth=1|sort -rn|awk -F / -v c=$COLUMNS 'NR==1{t=$1} NR>1{r=int($1/t*c+.5); b="\033[1;31m"; for (i=0; i<r; i++) b=b"#"; printf " %5.2f%% %s\033[0m %s\n", $1/t*100, b, $2}'|tac
}
function dirtydev() {
while true; do cat /sys/block/$1/stat|cols 9; grep -P "(Dirty)\b" /proc/meminfo; sleep 1; done
}
function cpuuse() {
if [ "$1" ]; then
SLEEPSEC="$1"
else
SLEEPSEC=1
fi
{ cat /proc/stat; sleep "$SLEEPSEC"; cat /proc/stat; } | \
awk '/^cpu / {usr=$2-usr; sys=$4-sys; idle=$5-idle; iow=$6-iow} \
END {total=usr+sys+idle+iow; printf "%.2f\n", (total-idle)*100/total}'
}
########################################################################
# misc. shell/tmux/etc
########################################################################
function tmux() {
TMUX="$(which tmux)"
# old habits die hard, make "screen -l" and "screen -r" work the way I want them to for tmux
if [ "$#" -eq 1 ] && ([ "$1" = "-list" ] || [ "$1" = "-l" ]); then
shift
"$TMUX" ls
elif ([ "$#" -eq 1 ] || [ "$#" -ge 2 ]) && [ "$1" = "-r" ]; then
shift
if [ "$#" -eq 0 ]; then
"$TMUX" ls >/dev/null 2>&1 && "$TMUX" attach || echo "No tmux sessions found"
else
SID="$1"; shift
"$TMUX" attach -t "$SID" "$@"
fi
else
"$TMUX" "$@"
fi
}
function screen() {
tmux "$@"
}
########################################################################
# sensor-specific
########################################################################
function sensorwatch () {
if [ "$1" ]; then
SLEEPSEC="$1"
else
SLEEPSEC=1
fi
if [ -f /opt/sensor/sensor_ctl/control_vars.conf ] ; then
. /opt/sensor/sensor_ctl/control_vars.conf
if [ -d "$ZEEK_LOG_PATH" ] && [ -d "$PCAP_PATH" ] ; then
while true; do
clear
find "$PCAP_PATH" "$ZEEK_LOG_PATH" -type f \( -name "*.pcap*" -o -name "*.log*" \) -print0 | \
xargs -0 stat --format '%Y: %y %s %n' | \
sort -nr | \
cut -d: -f2- | \
sed -r "s/\..*\\+0000//" | \
head -n 10 | \
awk 'function human(x) {
s=" B KiB MiB GiB TiB EiB PiB YiB ZiB"
while (x>=1024 && length(s)>1)
{x/=1024; s=substr(s,5)}
s=substr(s,1,4)
xf=(s==" B ")?"%5d ":"%0.2f"
return sprintf( xf"%s", x, s)
};
{
$3 = human($3);
print
}'
echo
du -sh "$PCAP_PATH" "$ZEEK_LOG_PATH"
echo
df -h "$PCAP_PATH" "$ZEEK_LOG_PATH"
sleep $SLEEPSEC
done
fi
fi
}

17
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/chromium/policies/managed/policy.json Normal file
View File

@@ -0,0 +1,17 @@
{
"AllowDinosaurEasterEgg": false,
"BrowserSignin": false,
"EnableMediaRouter": false,
"HomepageIsNewTabPage": false,
"HomepageLocation": "http://127.0.0.1:5000",
"NewTabPageLocation": "about:blank",
"PromotionalTabsEnabled": false,
"RestoreOnStartup": 4,
"RestoreOnStartupURLs": [
"http://127.0.0.1:5000"
],
"RestrictSigninToPattern": ".*@example.com",
"SafeBrowsingExtendedReportingEnabled": false,
"ShowCastIconInToolbar": false,
"SyncDisabled": true
}

1
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/installer Normal file
View File

@@ -0,0 +1 @@
sensor

5
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/live/config.conf Normal file
View File

@@ -0,0 +1,5 @@
LIVE_LOCALES="en_US.UTF-8"
LIVE_HOSTNAME="sensor-live"
LIVE_USERNAME="sensor"
LIVE_USER_FULLNAME="sensor"
LIVE_USER_DEFAULT_GROUPS="adm audio cdrom disk netdev plugdev sudo video vboxsf"

341
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/login.defs Normal file
View File

@@ -0,0 +1,341 @@
#
# /etc/login.defs - Configuration control definitions for the login package.
#
# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
# If unspecified, some arbitrary (and possibly incorrect) value will
# be assumed. All other items are optional - if not specified then
# the described action or option will be inhibited.
#
# Comment lines (lines beginning with "#") and blank lines are ignored.
#
# Modified for Linux. --marekm
# REQUIRED for useradd/userdel/usermod
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
# MAIL_DIR takes precedence.
#
# Essentially:
# - MAIL_DIR defines the location of users mail spool files
# (for mbox use) by appending the username to MAIL_DIR as defined
# below.
# - MAIL_FILE defines the location of the users mail spool files as the
# fully-qualified filename obtained by prepending the user home
# directory before $MAIL_FILE
#
# NOTE: This is no more used for setting up users MAIL environment variable
# which is, starting from shadow 4.0.12-1 in Debian, entirely the
# job of the pam_mail PAM modules
# See default PAM configuration files provided for
# login, su, etc.
#
# This is a temporary situation: setting these variables will soon
# move to /etc/default/useradd and the variables will then be
# no more supported
MAIL_DIR /var/mail
#MAIL_FILE .mail
#
# Enable logging and display of /var/log/faillog login failure info.
# This option conflicts with the pam_tally PAM module.
#
FAILLOG_ENAB yes
#
# Enable display of unknown usernames when login failures are recorded.
#
# WARNING: Unknown usernames may become world readable.
# See #290803 and #298773 for details about how this could become a security
# concern
LOG_UNKFAIL_ENAB no
#
# Enable logging of successful logins
#
LOG_OK_LOGINS no
#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
# If defined, all su activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
#
# If defined, login failures will be logged here in a utmp format
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE /var/log/btmp
#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su". If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME su
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
# However, the default and recommended value for TTYPERM is still 0600
# to not allow anyone to write to anyone else console or terminal
# Users can still allow other people to write them by issuing
# the "mesg y" command.
TTYGROUP tty
TTYPERM 0600
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# UMASK Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
#
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
#
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
# for private user groups, i. e. the uid is the same as gid, and username is
# the same as the primary group name: for these, the user permissions will be
# used as group permissions, e. g. 022 will become 002.
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
UMASK 077
#
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
#SYS_UID_MIN 100
#SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
#SYS_GID_MIN 100
#SYS_GID_MAX 999
#
# Max number of login retries if password is bad. This will most likely be
# overriden by PAM, since the default pam_unix module has it's own built
# in of 3 retries. However, this is a safe fallback in case you are using
# an authentication module that does not enforce PAM_MAXTRIES.
#
LOGIN_RETRIES 5
#
# Max time in seconds for login
#
LOGIN_TIMEOUT 60
#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
CHFN_RESTRICT rwh
#
# Should login be allowed if we can't cd to the home directory?
# Default in no.
#
DEFAULT_HOME yes
CREATE_HOME yes
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If set to yes, userdel will remove the user's group if it contains no
# more members, and useradd will create by default a group with the name
# of the user.
#
# Other former uses of this variable such as setting the umask when
# user==primary group are not used in PAM environments, such as Debian
#
USERGROUPS_ENAB yes
#
# Instead of the real user shell, the program specified by this parameter
# will be launched, although its visible name (argv[0]) will be the shell's.
# The program may do whatever it wants (logging, additional authentification,
# banner, ...) before running the actual shell.
#
# FAKE_SHELL /bin/fakeshell
#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names. Root logins will be allowed only
# upon these devices.
#
# This variable is used by login and su.
#
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
#
# List of groups to add to the user's supplementary group set
# when logging in on the console (as determined by the CONSOLE
# setting). Default is none.
#
# Use with caution - it is possible for users to gain permanent
# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
# This variable is used by login and su.
#
#CONSOLE_GROUPS floppy:audio:cdrom
#
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no
#
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD SHA512
#
# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password.
# But note also that it more CPU resources will be needed to authenticate
# users.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be inside the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
# SHA_CRYPT_MIN_ROUNDS 5000
# SHA_CRYPT_MAX_ROUNDS 5000
################# OBSOLETED BY PAM ##############
# #
# These options are now handled by PAM. Please #
# edit the appropriate file in /etc/pam.d/ to #
# enable the equivelants of them.
#
###############
#MOTD_FILE
#DIALUPS_CHECK_ENAB
#LASTLOG_ENAB
#MAIL_CHECK_ENAB
#OBSCURE_CHECKS_ENAB
#PORTTIME_CHECKS_ENAB
#SU_WHEEL_ONLY
#CRACKLIB_DICTPATH
#PASS_CHANGE_TRIES
#PASS_ALWAYS_WARN
#ENVIRON_FILE
#NOLOGINS_FILE
#ISSUE_FILE
#PASS_MIN_LEN
#PASS_MAX_LEN
#ULIMIT
#ENV_HZ
#CHFN_AUTH
#CHSH_AUTH
#FAIL_DELAY
################# OBSOLETED #######################
# #
# These options are no more handled by shadow. #
# #
# Shadow utilities will display a warning if they #
# still appear. #
# #
###################################################
# CLOSE_SESSIONS
# LOGIN_STRING
# NO_PASSWORD_CONSOLE
# QMAIL_DIR

8
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/security/limits.d/limits.conf Normal file
View File

@@ -0,0 +1,8 @@
* soft nofile 65535
* hard nofile 65535
* soft memlock unlimited
* hard memlock unlimited
* soft core 0
* hard core 0
* hard maxlogins 10

2
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.Xresources Normal file
View File

@@ -0,0 +1,2 @@
xscreensaver.mode: blank
xscreensaver.lock: false

88
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.bashrc Normal file
View File

@@ -0,0 +1,88 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# new directories default to 700, new files to 600
umask 077
export UMASK=077
# If not running interactively, don't do anything
[ -z "$PS1" ] && return
# don't put duplicate lines in the history and ignore same sucessive entries.
export HISTCONTROL=ignoreboth:erasedups
export HISTIGNORE="&:ls:ll:cd:history:h:[bf]g:exit:pwd:clear"
export HISTFILESIZE=1000000000
export HISTSIZE=1000000
export HISTTIMEFORMAT="[%Y-%m-%d %H:%M:%S] "
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(lesspipe)"
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"'
;;
*)
;;
esac
# enable programmable completion features
if [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
###############################################################################
# PATH
###############################################################################
PATH=/opt/zeek/bin:/opt/spicy/bin:/opt/moloch/bin:/usr/sbin:$PATH
if [ -d ~/bin ]; then
PATH=~/bin:$PATH
fi
if [ -d ~/.local/bin ]; then
PATH=~/.local/bin:$PATH
fi
export PATH
###############################################################################
# ALIASES AND FUNCTIONS
###############################################################################
if [ -f /etc/bash.bash_aliases ]; then
. /etc/bash.bash_aliases
fi
if [ -f /etc/bash.bash_functions ]; then
. /etc/bash.bash_functions
fi
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
if [ -f ~/.bash_functions ]; then
. ~/.bash_functions
fi
###############################################################################
# BASH OPTIONS
###############################################################################
shopt -s extglob
shopt -s dotglob
shopt -s cdspell
shopt -s histverify
shopt -s histappend
shopt -u progcomp
PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
###############################################################################
# BASH PROMPT
###############################################################################
PS1="\[\033[00;32m\]\u\[\033[00;34m\]@\h\[\033[1;30m\]:\[\033[00;35m\]\W\[\033[00m\]\[\033[01;37m\]\$ \[\033[00;37m\]"

27
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/clipit/clipitrc Normal file
View File

@@ -0,0 +1,27 @@
[rc]
use_copy=true
use_primary=false
synchronize=false
automatic_paste=false
show_indexes=false
save_uris=true
use_rmb_menu=false
save_history=false
history_limit=50
history_timeout_seconds=300
history_timeout=true
items_menu=10
statics_show=false
statics_items=0
hyperlinks_only=true
confirm_clear=false
single_line=true
reverse_history=true
item_length=0
ellipsize=0
history_key=<Ctrl><Alt>H
actions_key=<Ctrl><Alt>A
menu_key=<Ctrl><Alt>P
search_key=<Ctrl><Alt>F
offline_key=<Ctrl><Alt>O
offline_mode=false

15
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/gtk-3.0/settings.ini Normal file
View File

@@ -0,0 +1,15 @@
[Settings]
gtk-theme-name=Adwaita-dark
gtk-icon-theme-name=gnome
gtk-font-name=Sans 10
gtk-cursor-theme-size=18
gtk-toolbar-style=GTK_TOOLBAR_BOTH_HORIZ
gtk-toolbar-icon-size=GTK_ICON_SIZE_LARGE_TOOLBAR
gtk-button-images=1
gtk-menu-images=1
gtk-enable-event-sounds=0
gtk-enable-input-feedback-sounds=0
gtk-xft-antialias=1
gtk-xft-hinting=1
gtk-xft-hintstyle=hintslight
gtk-xft-rgba=rgb

134
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/hedgehog Normal file
View File

@@ -0,0 +1,134 @@
# lxpanel <profile> config file. Manually editing is not recommended.
# Use preference dialog in lxpanel to adjust config when you can.
Global {
edge=top
monitor=0
height=32
align=left
widthtype=percent
width=100
transparent=0
background=0
autohide=0
heightwhenhidden=4
tintcolor=#a0a0a0
alpha=255
setpartialstrut=1
iconsize=24
}
Plugin {
type=menu
Config {
system {
}
separator {
}
item {
command=run
}
separator {
}
item {
command=logout
image=gnome-logout
}
image=/usr/share/icons/gnome/32x32/places/start-here.png
}
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=launchtaskbar
Config {
Button {
id=terminator.desktop
}
Button {
id=firefox.desktop
}
Button {
id=hedgehog-kiosk.desktop
}
Button {
id=hedgehog-readme.desktop
}
Button {
id=sensor-services-status.desktop
}
Button {
id=configure-capture.desktop
}
Button {
id=configure-interfaces.desktop
}
Button {
id=sensor-services-full-restart.desktop
}
IconsOnly=0
FlatButton=0
UseMouseWheel=0
GroupedTasks=1
DisableUpscale=0
UseSmallerIcons=-1
spacing=1
ShowAllDesks=0
}
}
Plugin {
type=space
Config {
}
expand=1
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=pager
Config {
}
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=dclock
Config {
ClockFmt=%R
TooltipFmt=%A %x
BoldFont=0
IconOnly=0
CenterText=0
}
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=tray
Config {
}
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=launchbar
Config {
Button {
id=lxde-logout.desktop
}
}
}

48
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/lxsession/LXDE/desktop.conf Normal file
View File

@@ -0,0 +1,48 @@
[Session]
window_manager=openbox-lxde
disable_autostart=no
polkit/command=lxpolkit
clipboard/command=lxclipboard
xsettings_manager/command=build-in
proxy_manager/command=build-in
keyring/command=ssh-agent
quit_manager/command=lxsession-logout
lock_manager/command=lxlock
terminal_manager/command=lxterminal
[GTK]
sNet/ThemeName=Adwaita-dark
sNet/IconThemeName=gnome
sGtk/FontName=Sans 10
iGtk/ToolbarStyle=3
iGtk/ButtonImages=1
iGtk/MenuImages=1
iGtk/CursorThemeSize=18
iXft/Antialias=1
iXft/Hinting=1
sXft/HintStyle=hintslight
sXft/RGBA=rgb
iNet/EnableEventSounds=1
iNet/EnableInputFeedbackSounds=1
sGtk/ColorScheme=
iGtk/ToolbarIconSize=3
sGtk/CursorThemeName=DMZ-White
[Mouse]
AccFactor=20
AccThreshold=10
LeftHanded=0
[Keyboard]
Delay=500
Interval=30
Beep=1
[State]
guess_default=true
[Dbus]
lxde=true
[Environment]
menu_prefix=lxde-

13
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/pcmanfm/LXDE/desktop-items-0.conf Normal file
View File

@@ -0,0 +1,13 @@
[*]
wallpaper_mode=fit
wallpaper_common=1
wallpaper=/usr/share/images/desktop-base/hedgehog-wallpaper.png
desktop_bg=#1c0522
desktop_fg=#ffffff
desktop_shadow=#000000
desktop_font=Ubuntu Medium 12
show_wm_menu=0
sort=mtime;ascending;
show_documents=0
show_trash=0
show_mounts=1

26
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/pcmanfm/LXDE/pcmanfm.conf Normal file
View File

@@ -0,0 +1,26 @@
[config]
bm_open_method=0
[volume]
mount_on_startup=0
mount_removable=0
autorun=0
[ui]
always_show_tabs=0
max_tab_chars=32
win_width=640
win_height=480
splitter_pos=150
media_in_new_tab=0
desktop_folder_new_win=0
change_tab_on_drop=1
close_on_unmount=1
focus_previous=0
side_pane_mode=places
view_mode=list
show_hidden=0
sort=name;ascending;
toolbar=newtab;navigation;home;
show_statusbar=1
pathbar_mode_buttons=0

0
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.hushlogin Normal file
View File

1
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.selected_editor Normal file
View File

@@ -0,0 +1 @@
SELECTED_EDITOR="/usr/bin/vim.tiny"

47
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.tmux.conf Normal file
View File

@@ -0,0 +1,47 @@
unbind C-b
set -g prefix C-a
bind a send-prefix
bind-key C-a last-window
# Make shift+arrows, ctrl+arrows etc work in Vim.
set -g xterm-keys on
# See if this fixes slow ESC issues.
# http://unix.stackexchange.com/questions/23138/esc-key-causes-a-small-delay-in-terminal-due-to-its-alt-behavior
set -s escape-time 0
# Start window and pane indices at 1.
set -g base-index 1
set -g pane-base-index 1
# Status bar styling and content.
set -g status-bg black
set -g status-fg white
set -g status-left '#S '
# Highlight the active window in the status bar.
set-window-option -g window-status-current-bg yellow
set-window-option -g window-status-current-fg black
# More intuitive split-window mappings.
bind "'" split-window -h
bind - split-window -v
# Maximize pane, e.g. for copying.
bind-key z resize-pane -Z
# Switch pane and zoom
# https://twitter.com/tskogberg/status/792025881573199872
bind C-z select-pane -t :.+ \; resize-pane -Z
# toggle synchronize panes
bind C-x set-window-option synchronize-panes\; display-message "synchronize-panes is now #{?pane_synchronized,on,off}"
# Reload tmux conf.
unbind r
bind r source-file ~/.tmux.conf\; display "Reloaded conf."
# Use vim keybindings in copy mode
setw -g mode-keys vi

2
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.vimrc Normal file
View File

@@ -0,0 +1,2 @@
set nocompatible

281
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.xscreensaver Normal file
View File

@@ -0,0 +1,281 @@
# XScreenSaver Preferences File
# Written by xscreensaver-demo 5.36 for sensor on Wed Jul 3 15:35:13 2019.
# https://www.jwz.org/xscreensaver/
timeout: 0:10:00
cycle: 0:10:00
lock: False
lockTimeout: 0:00:00
passwdTimeout: 0:00:30
visualID: default
installColormap: True
verbose: False
timestamp: True
splash: True
splashDuration: 0:00:05
demoCommand: xscreensaver-demo
prefsCommand: xscreensaver-demo -prefs
nice: 10
memoryLimit: 0
fade: False
unfade: False
fadeSeconds: 0:00:03
fadeTicks: 20
captureStderr: True
ignoreUninstalledPrograms:True
font: *-medium-r-*-140-*-m-*
dpmsEnabled: False
dpmsQuickOff: False
dpmsStandby: 2:00:00
dpmsSuspend: 2:00:00
dpmsOff: 4:00:00
grabDesktopImages: False
grabVideoFrames: False
chooseRandomImages: False
imageDirectory:
mode: blank
selected: -1
textMode: date
textLiteral: XScreenSaver
textFile:
textProgram: fortune
textURL: http://planet.debian.org/rss20.xml
programs: \
maze -root \n\
- GL: superquadrics -root \n\
attraction -root \n\
blitspin -root \n\
greynetic -root \n\
helix -root \n\
hopalong -root \n\
imsmap -root \n\
- noseguy -root \n\
- pyro -root \n\
qix -root \n\
- rocks -root \n\
rorschach -root \n\
decayscreen -root \n\
flame -root \n\
halo -root \n\
slidescreen -root \n\
pedal -root \n\
bouboule -root \n\
- braid -root \n\
coral -root \n\
deco -root \n\
drift -root \n\
- fadeplot -root \n\
galaxy -root \n\
goop -root \n\
grav -root \n\
ifs -root \n\
unicode -root \n\
- GL: jigsaw -root \n\
julia -root \n\
- kaleidescope -root \n\
- GL: moebius -root \n\
moire -root \n\
- GL: morph3d -root \n\
mountain -root \n\
munch -root \n\
penrose -root \n\
- GL: pipes -root \n\
rd-bomb -root \n\
- GL: rubik -root \n\
- sierpinski -root \n\
slip -root \n\
- GL: sproingies -root \n\
starfish -root \n\
strange -root \n\
swirl -root \n\
triangle -root \n\
xjack -root \n\
xlyap -root \n\
- GL: atlantis -root \n\
bsod -root \n\
- GL: bubble3d -root \n\
- GL: cage -root \n\
- crystal -root \n\
cynosure -root \n\
discrete -root \n\
distort -root \n\
epicycle -root \n\
flow -root \n\
- GL: glplanet -root \n\
interference -root \n\
kumppa -root \n\
- GL: lament -root \n\
moire2 -root \n\
- GL: sonar -root \n\
- GL: stairs -root \n\
truchet -root \n\
- vidwhacker -root \n\
blaster -root \n\
bumps -root \n\
ccurve -root \n\
compass -root \n\
deluxe -root \n\
- demon -root \n\
- GL: extrusion -root \n\
- loop -root \n\
penetrate -root \n\
petri -root \n\
phosphor -root \n\
- GL: pulsar -root \n\
ripples -root \n\
shadebobs -root \n\
- GL: sierpinski3d -root \n\
spotlight -root \n\
squiral -root \n\
wander -root \n\
- webcollage -root \n\
xflame -root \n\
xmatrix -root \n\
- GL: gflux -root \n\
- nerverot -root \n\
xrayswarm -root \n\
xspirograph -root \n\
- GL: circuit -root \n\
- GL: dangerball -root \n\
- GL: engine -root \n\
- GL: flipscreen3d -root \n\
- GL: gltext -root \n\
- GL: menger -root \n\
- GL: molecule -root \n\
rotzoomer -root \n\
speedmine -root \n\
- GL: starwars -root \n\
- GL: stonerview -root \n\
vermiculate -root \n\
whirlwindwarp -root \n\
zoom -root \n\
anemone -root \n\
apollonian -root \n\
- GL: boxed -root \n\
- GL: cubenetic -root \n\
- GL: endgame -root \n\
euler2d -root \n\
fluidballs -root \n\
- GL: flurry -root \n\
- GL: glblur -root \n\
- GL: glsnake -root \n\
halftone -root \n\
- GL: juggler3d -root \n\
- GL: lavalite -root \n\
- polyominoes -root \n\
- GL: queens -root \n\
- GL: sballs -root \n\
- GL: spheremonics -root \n\
- thornbird -root \n\
twang -root \n\
- GL: antspotlight -root \n\
apple2 -root \n\
- GL: atunnel -root \n\
barcode -root \n\
- GL: blinkbox -root \n\
- GL: blocktube -root \n\
- GL: bouncingcow -root \n\
cloudlife -root \n\
- GL: cubestorm -root \n\
eruption -root \n\
- GL: flipflop -root \n\
- GL: flyingtoasters -root \n\
fontglide -root \n\
- GL: gleidescope -root \n\
- GL: glknots -root \n\
- GL: glmatrix -root \n\
- GL: glslideshow -root \n\
- GL: hypertorus -root \n\
- GL: jigglypuff -root \n\
metaballs -root \n\
- GL: mirrorblob -root \n\
piecewise -root \n\
- GL: polytopes -root \n\
pong -root \n\
popsquares -root \n\
- GL: surfaces -root \n\
xanalogtv -root \n\
abstractile -root \n\
anemotaxis -root \n\
- GL: antinspect -root \n\
fireworkx -root \n\
fuzzyflakes -root \n\
interaggregate -root \n\
intermomentary -root \n\
memscroller -root \n\
- GL: noof -root \n\
pacman -root \n\
- GL: pinion -root \n\
- GL: polyhedra -root \n\
- GL: providence -root \n\
substrate -root \n\
wormhole -root \n\
- GL: antmaze -root \n\
- GL: boing -root \n\
boxfit -root \n\
- GL: carousel -root \n\
celtic -root \n\
- GL: crackberg -root \n\
- GL: cube21 -root \n\
fiberlamp -root \n\
- GL: fliptext -root \n\
- GL: glhanoi -root \n\
- GL: tangram -root \n\
- GL: timetunnel -root \n\
- GL: glschool -root \n\
- GL: topblock -root \n\
- GL: cubicgrid -root \n\
cwaves -root \n\
- GL: gears -root \n\
- GL: glcells -root \n\
- GL: lockward -root \n\
m6502 -root \n\
- GL: moebiusgears -root \n\
- GL: voronoi -root \n\
- GL: hypnowheel -root \n\
- GL: klein -root \n\
- lcdscrub -root \n\
- GL: photopile -root \n\
- GL: skytentacles -root \n\
- GL: rubikblocks -root \n\
- GL: companioncube -root \n\
- GL: hilbert -root \n\
- GL: tronbit -root \n\
- GL: geodesic -root \n\
hexadrop -root \n\
- GL: kaleidocycle -root \n\
- GL: quasicrystal -root \n\
- GL: unknownpleasures -root \n\
binaryring -root \n\
- GL: cityflow -root \n\
- GL: geodesicgears -root \n\
- GL: projectiveplane -root \n\
- GL: romanboy -root \n\
tessellimage -root \n\
- GL: winduprobot -root \n\
- GL: splitflap -root \n\
- GL: cubestack -root \n\
- GL: cubetwist -root \n\
- GL: discoball -root \n\
- GL: dymaxionmap -root \n\
- GL: energystream -root \n\
- GL: hexstrut -root \n\
- GL: hydrostat -root \n\
- GL: raverhoop -root \n\
- GL: splodesic -root \n\
- GL: unicrud -root \n\
pointerPollTime: 0:00:05
pointerHysteresis: 10
windowCreationTimeout:0:00:30
initialDelay: 0:00:00
GetViewPortIsFullOfLies:False
procInterrupts: True
xinputExtensionDev: False
overlayStderr: True
authWarningSlack: 20

127
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/ssh/sshd_config Normal file
View File

@@ -0,0 +1,127 @@
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Protocol 2
#Port 22
AddressFamily inet
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256,hmac-sha2-512
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
MaxAuthTries 4
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
RhostsRSAAuthentication no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox
PermitUserEnvironment no
Compression no
ClientAliveInterval 300
ClientAliveCountMax 0
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
Banner=/etc/issue
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

2
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/sudoers.d/nic_capture_setup Normal file
View File

@@ -0,0 +1,2 @@
# allow unprivileged mgmt of interface flags via ethtool prior to starting capture
%netdev ALL=(root) NOPASSWD: /usr/local/bin/nic-capture-setup.sh

2
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/sudoers.d/ufw_moloch_viewer Normal file
View File

@@ -0,0 +1,2 @@
# allow unprivileged mgmt of UFW access for the local Arkime viewer instance
%netdev ALL=(root) NOPASSWD: /usr/local/bin/ufw_allow_viewer.sh

5
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/xdg/lxsession/LXDE/autostart Normal file
View File

@@ -0,0 +1,5 @@
@lxpanel --profile LXDE
@pcmanfm --desktop --profile LXDE
@xscreensaver -no-splash
@/usr/local/bin/capture-format-wait.sh
@/opt/firefox/firefox --setDefaultBrowser --no-remote --private --kiosk http://127.0.0.1:5000

126
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/opt/zeek/bin/zeek.sh Executable file
View File

@@ -0,0 +1,126 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# configuration variables may be specified in control_vars.conf rather than on the command line
CONTROL_VARS_FILE="control_vars.conf"
# script usd for file extraction
EXTRACTOR_ZEEK_SCRIPT="extractor.zeek"
# get utilities for finding default zeek path and executable
[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath
[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname
if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then
echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME"
exit 1
fi
export SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))"
# source configuration variables file if found (precedence: pwd, script directory, /opt/sensor/sensor_ctl)
if [[ -r ./"$CONTROL_VARS_FILE" ]]; then
source ./"$CONTROL_VARS_FILE"
elif [[ -r "$SCRIPT_PATH"/"$CONTROL_VARS_FILE" ]]; then
source "$SCRIPT_PATH"/"$CONTROL_VARS_FILE"
elif [[ -r /opt/sensor/sensor_ctl/"$CONTROL_VARS_FILE" ]]; then
source /opt/sensor/sensor_ctl/"$CONTROL_VARS_FILE"
fi
# determine location of zeek executable and relative installation path
ZEEK_EXE="$(which zeek)"
[[ ! -x "$ZEEK_EXE" ]] && ZEEK_EXE="/opt/zeek/bin/zeek"
[[ ! -x "$ZEEK_EXE" ]] && ZEEK_EXE="/usr/bin/zeek"
[[ ! -x "$ZEEK_EXE" ]] && ZEEK_EXE="/usr/local/bin/zeek"
if [[ ! -x "$ZEEK_EXE" ]]; then
echo "zeek executable not found or not executable"
exit 1
fi
ZEEK_INSTALL_PATH="$(realpath "$(dirname "$(realpath "$ZEEK_EXE")")"/..)"
if [[ ! -d "$ZEEK_INSTALL_PATH" ]]; then
echo "zeek root path \"$ZEEK_INSTALL_PATH\" does not exist"
exit 1
fi
# allow user-specified overrides for interface, file extraction mode, and destination log path
while getopts i:p:f:d:o: opts; do
case ${opts} in
i) CAPTURE_INTERFACE=${OPTARG} ;;
p) PCAP_FILE=${OPTARG} ;;
f) ZEEK_EXTRACTOR_MODE=${OPTARG} ;;
d) ZEEK_LOG_PATH=${OPTARG} ;;
o) ZEEK_EXTRACTOR_OVERRIDE_FILE=${OPTARG} ;;
esac
done
# capture interface or PCAP file *must* be specified
if [[ -n $PCAP_FILE ]] && [[ -r $PCAP_FILE ]] ; then
ZEEK_INPUT_FLAG="-r"
ZEEK_INPUT_OBJECT=$PCAP_FILE
elif [[ -n $CAPTURE_INTERFACE ]] ; then
ZEEK_INPUT_FLAG="-i"
ZEEK_INPUT_OBJECT=$CAPTURE_INTERFACE
else
echo "Zeek capture interface (via \$CAPTURE_INTERFACE or -i <name>) or PCAP file (via -p <filename>) not specified"
exit 1
fi
# default file extraction mode is "do not extract files"
[[ -z $ZEEK_EXTRACTOR_MODE ]] && ZEEK_EXTRACTOR_MODE="none"
export ZEEK_EXTRACTOR_MODE
# if zeek log path is unspecified, write logs to pwd
[[ -z $ZEEK_LOG_PATH ]] && ZEEK_LOG_PATH=.
ZEEK_LOG_PATH="$($REALPATH "$ZEEK_LOG_PATH")"
# if file extraction is enabled and file extraction script exists, set up the argument for zeek to use it
ZEEK_EXTRACTOR_SCRIPT="$ZEEK_INSTALL_PATH"/share/zeek/site/"$EXTRACTOR_ZEEK_SCRIPT"
([[ ! -r "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ "$ZEEK_EXTRACTOR_MODE" = "none" ]]) && ZEEK_EXTRACTOR_SCRIPT=""
([[ ! -r "$ZEEK_EXTRACTOR_OVERRIDE_FILE" ]] || [[ -z "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ ! "$ZEEK_EXTRACTOR_MODE" = "mapped" ]]) && ZEEK_EXTRACTOR_OVERRIDE_FILE=""
# zeek ruleset is loaded from control_vars.conf if it existed, or "local" if not
[[ -z $ZEEK_RULESET ]] && ZEEK_RULESET="local"
ARCHIVE_PATH="$ZEEK_LOG_PATH/archived/$(date +"%Y-%m-%d-%H-%M-%S")"
mkdir -p "$ZEEK_LOG_PATH"/extract_files "$ARCHIVE_PATH"
pushd "$ZEEK_LOG_PATH" >/dev/null 2>&1
function finish {
echo "\"$ZEEK_EXE\" exited" >&2
pushd "$ZEEK_LOG_PATH" >/dev/null 2>&1
####################################################################################
# rename/move current zeek log files to an archive directory
####################################################################################
# we don't want to interfere with files being used by other processes (except filebeat, screw that guy)
mapfile -t OPEN_FILES < <( lsof -u "$USER" -a +D "$(pwd)" -a -d 0-65535 2>/dev/null | grep -Pv "^[\w-]+beat" | tail -n +2 | awk '{print $9}' | sed "s@^$ZEEK_LOG_PATH/@@" )
declare -A OPEN_FILES_MAP
for OPEN_FILE in ${OPEN_FILES[@]}; do
OPEN_FILES_MAP["$OPEN_FILE"]=1
done
shopt -s nullglob
for LOG_FILE in *; do
# process only files, and don't mess with open files (see OPEN_FILES declaration above)
if [[ ! -d "$LOG_FILE" ]] && [[ -z ${OPEN_FILES_MAP[$LOG_FILE]} ]]; then
mv -v "$LOG_FILE" "$ARCHIVE_PATH"/
fi
done
popd >/dev/null 2>&1
# we don't need to hang on to the persistent .state directory
[[ -d "$ZEEK_LOG_PATH"/.state ]] && sleep 1 && (pidof zeek >/dev/null 2>&1 || rm -rf "$ZEEK_LOG_PATH"/.state)
}
trap finish EXIT
# execute zeek
echo "Running \"$ZEEK_EXE\"..." >&2
if [[ -n "$ZEEK_EXTRACTOR_SCRIPT" ]] && [[ -n "$ZEEK_EXTRACTOR_OVERRIDE_FILE" ]]; then
"$ZEEK_EXE" -C $ZEEK_INPUT_FLAG "$ZEEK_INPUT_OBJECT" "$ZEEK_RULESET" "$ZEEK_EXTRACTOR_SCRIPT" "$ZEEK_EXTRACTOR_OVERRIDE_FILE"
elif [[ -n "$ZEEK_EXTRACTOR_SCRIPT" ]]; then
"$ZEEK_EXE" -C $ZEEK_INPUT_FLAG "$ZEEK_INPUT_OBJECT" "$ZEEK_RULESET" "$ZEEK_EXTRACTOR_SCRIPT"
else
"$ZEEK_EXE" -C $ZEEK_INPUT_FLAG "$ZEEK_INPUT_OBJECT" "$ZEEK_RULESET"
fi
popd >/dev/null 2>&1

206
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/opt/zeek/bin/zeekdeploy.sh Executable file
View File

@@ -0,0 +1,206 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# get utilities for finding default zeek path and executable
[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath
[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname
if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then
echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME"
exit 1
fi
export SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))"
# control_vars.conf file must be specified as argument to script or be found in an expected place
# source configuration variables file if found (precedence: pwd, script directory, /opt/sensor/sensor_ctl)
if [[ -n "$1" ]]; then
source "$1"
else
CONTROL_VARS_FILE="control_vars.conf"
if [[ -r ./"$CONTROL_VARS_FILE" ]]; then
source ./"$CONTROL_VARS_FILE"
elif [[ -r "$SCRIPT_PATH"/"$CONTROL_VARS_FILE" ]]; then
source "$SCRIPT_PATH"/"$CONTROL_VARS_FILE"
elif [[ -r /opt/sensor/sensor_ctl/"$CONTROL_VARS_FILE" ]]; then
source /opt/sensor/sensor_ctl/"$CONTROL_VARS_FILE"
fi
fi
# capture interface(s) *must* be specified
if [[ -z $CAPTURE_INTERFACE ]] ; then
echo "Zeek capture interface(s) (via \$CAPTURE_INTERFACE) not specified"
exit 1
fi
# do we have AF_PACKET support in the kernel? true if > 0
AF_PACKET_SUPPORT=$(grep -c -x 'CONFIG_PACKET=[ym]' "/boot/config-$(uname -r)")
# determine location of zeekctl script and relative installation path
ZEEK_CTL="$(which zeekctl)"
[[ ! -x "$ZEEK_CTL" ]] && ZEEK_CTL="/opt/zeek/bin/zeekctl"
[[ ! -x "$ZEEK_CTL" ]] && ZEEK_CTL="/usr/bin/zeekctl"
[[ ! -x "$ZEEK_CTL" ]] && ZEEK_CTL="/usr/local/bin/zeekctl"
if [[ ! -x "$ZEEK_CTL" ]]; then
echo "zeekctl script not found or not executable"
exit 1
fi
ZEEK_INSTALL_PATH="$(realpath "$(dirname "$(realpath "$ZEEK_CTL")")"/..)"
if [[ ! -d "$ZEEK_INSTALL_PATH" ]]; then
echo "zeek root path \"$ZEEK_INSTALL_PATH\" does not exist"
exit 1
fi
# default file extraction mode is "do not extract files"
[[ -z $ZEEK_EXTRACTOR_MODE ]] && ZEEK_EXTRACTOR_MODE="none"
# some other defaults
[[ -z $ZEEK_LB_PROCS ]] && ZEEK_LB_PROCS="1"
[[ -z $ZEEK_LB_METHOD ]] && ZEEK_LB_METHOD="custom"
[[ -z $ZEEK_AF_PACKET_BUFFER_SIZE ]] && ZEEK_AF_PACKET_BUFFER_SIZE="$(echo "64*1024*1024" | bc)"
# if zeek log path is unspecified, write logs to pwd
[[ -z $ZEEK_LOG_PATH ]] && ZEEK_LOG_PATH=.
ZEEK_LOG_PATH="$($REALPATH "$ZEEK_LOG_PATH")"
ARCHIVE_PATH="$ZEEK_LOG_PATH/logs"
WORK_PATH="$ZEEK_LOG_PATH/spool"
TMP_PATH="$ZEEK_INSTALL_PATH/spool/tmp"
EXTRACT_FILES_PATH="$ZEEK_LOG_PATH/extract_files"
mkdir -p "$ARCHIVE_PATH" "$WORK_PATH" "$EXTRACT_FILES_PATH" "$TMP_PATH"
export TMP="$TMP_PATH"
# if file extraction is enabled and file extraction script exists, set up the argument for zeek to use it
[[ -z $ZEEK_RULESET ]] && ZEEK_RULESET="local"
EXTRACTOR_ZEEK_SCRIPT="extractor.zeek"
ZEEK_EXTRACTOR_SCRIPT="$ZEEK_INSTALL_PATH"/share/zeek/site/"$EXTRACTOR_ZEEK_SCRIPT"
([[ ! -r "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ "$ZEEK_EXTRACTOR_MODE" = "none" ]]) && ZEEK_EXTRACTOR_SCRIPT=""
([[ ! -r "$ZEEK_EXTRACTOR_OVERRIDE_FILE" ]] || [[ -z "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ ! "$ZEEK_EXTRACTOR_MODE" = "mapped" ]]) && ZEEK_EXTRACTOR_OVERRIDE_FILE=""
# configure zeek cfg files
pushd "$ZEEK_INSTALL_PATH"/etc >/dev/null 2>&1
# make replacements for variables in zeekctl.cfg
ZEEK_LOG_ROTATE=3600
ZEEK_LOG_EXPIRE=0
ZEEK_STATS=0
sed -r -i "s/(LogRotationInterval)\s*=\s*.*/\1 = $ZEEK_LOG_ROTATE/" ./zeekctl.cfg
sed -r -i "s/(LogExpireInterval)\s*=\s*.*/\1 = $ZEEK_LOG_EXPIRE/" ./zeekctl.cfg
if [[ -n "$ZEEK_EXTRACTOR_SCRIPT" ]] && [[ -n "$ZEEK_EXTRACTOR_OVERRIDE_FILE" ]]; then
sed -r -i "s@(SitePolicyScripts)\s*=\s*.*@\1 = $ZEEK_RULESET $ZEEK_EXTRACTOR_SCRIPT $ZEEK_EXTRACTOR_OVERRIDE_FILE@" ./zeekctl.cfg
elif [[ -n "$ZEEK_EXTRACTOR_SCRIPT" ]]; then
sed -r -i "s@(SitePolicyScripts)\s*=\s*.*@\1 = $ZEEK_RULESET $ZEEK_EXTRACTOR_SCRIPT@" ./zeekctl.cfg
else
sed -r -i "s@(SitePolicyScripts)\s*=\s*.*@\1 = $ZEEK_RULESET@" ./zeekctl.cfg
fi
sed -r -i "s@(LogDir)\s*=\s*.*@\1 = $ARCHIVE_PATH@" ./zeekctl.cfg
sed -r -i "s@(SpoolDir)\s*=\s*.*@\1 = $WORK_PATH@" ./zeekctl.cfg
# completely rewrite node.cfg for one worker per interface
# see idaholab/Malcolm#36 for details on fine-tuning
rm -f ./node.cfg
cat << 'EOF' > ./node.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by /opt/zeek/bin/zeekdeploy.sh
#
EOF
echo "[logger]" >> ./node.cfg
echo "type=logger" >> ./node.cfg
echo "host=localhost" >> ./node.cfg
[[ -n $ZEEK_PIN_CPUS_LOGGER ]] && \
echo "pin_cpus=$ZEEK_PIN_CPUS_LOGGER" >> ./node.cfg
echo "" >> ./node.cfg
echo "[manager]" >> ./node.cfg
echo "type=manager" >> ./node.cfg
echo "host=localhost" >> ./node.cfg
[[ -n $ZEEK_PIN_CPUS_MANAGER ]] && \
echo "pin_cpus=$ZEEK_PIN_CPUS_MANAGER" >> ./node.cfg
echo "" >> ./node.cfg
echo "[proxy]" >> ./node.cfg
echo "type=proxy" >> ./node.cfg
echo "host=localhost" >> ./node.cfg
[[ -n $ZEEK_PIN_CPUS_PROXY ]] && \
echo "pin_cpus=$ZEEK_PIN_CPUS_PROXY" >> ./node.cfg
echo "" >> ./node.cfg
# number of zeek processes so far (logger, manager, proxy)
ZEEK_PROCS=3
# incrementing ID of current worker for config file
WORKER_ID=1
# AF_PACKET fanout ID (per-interface)
FANOUT_ID=1
# create a worker for each interface
# see idaholab/Malcolm#36 for details on fine-tuning
for IFACE in ${CAPTURE_INTERFACE//,/ }; do
WORKER_CPU_PINS_VAR=ZEEK_PIN_CPUS_WORKER_${WORKER_ID}
WORKER_LB_PROCS_VAR=ZEEK_LB_PROCS_WORKER_${WORKER_ID}
# priority for worker's lb_procs:
if [[ -n "${!WORKER_LB_PROCS_VAR}" ]]; then
# 1. ZEEK_LB_PROCS_WORKER_n is explicitly specified
WORKER_LB_PROCS="${!WORKER_LB_PROCS_VAR}"
elif [[ -n "${!WORKER_CPU_PINS_VAR}" ]]; then
# 2. ZEEK_PIN_CPUS_WORKER_n is specified, count the values
WORKER_LB_PROCS="$(echo "${!WORKER_CPU_PINS_VAR}" | awk -F',' '{print NF}')"
else
# default to $ZEEK_LB_PROCS
WORKER_LB_PROCS="$ZEEK_LB_PROCS"
fi
cat << EOF >> ./node.cfg
[worker-$WORKER_ID]
type=worker
host=localhost
interface=$IFACE
env_vars=ZEEK_EXTRACTOR_MODE=$ZEEK_EXTRACTOR_MODE,ZEEK_EXTRACTOR_PATH=$EXTRACT_FILES_PATH/,TMP=$TMP_PATH
EOF
# if af_packet is available in the kernel, write it out as well
if [ $AF_PACKET_SUPPORT -gt 0 ] && [ $WORKER_LB_PROCS -gt 0 ]; then
echo "lb_procs=$WORKER_LB_PROCS" >> ./node.cfg
echo "lb_method=$ZEEK_LB_METHOD" >> ./node.cfg
[[ -n "${!WORKER_CPU_PINS_VAR}" ]] && \
echo "pin_cpus=${!WORKER_CPU_PINS_VAR}" >> ./node.cfg
echo "af_packet_fanout_id=$FANOUT_ID" >> ./node.cfg
echo "af_packet_fanout_mode=AF_Packet::FANOUT_HASH" >> ./node.cfg
echo "af_packet_buffer_size=$ZEEK_AF_PACKET_BUFFER_SIZE" >> ./node.cfg
fi
WORKER_ID=$((WORKER_ID+1))
FANOUT_ID=$((FANOUT_ID+1))
ZEEK_PROCS=$((ZEEK_PROCS+1))
done
# we'll assume we didn't mess with networks.cfg, leave it alone
popd >/dev/null 2>&1
pushd "$ZEEK_LOG_PATH" >/dev/null 2>&1
function finish {
echo "Stopping via \"$ZEEK_CTL\"" >&2
"$ZEEK_CTL" stop
rm -f "$TMP_PATH"/*
}
trap finish EXIT
# execute zeekctl
echo "Running via \"$ZEEK_CTL\"..." >&2
"$ZEEK_CTL" deploy
# wait until interrupted (or somehow if zeek dies on its own)
while [ $("$ZEEK_CTL" status | tail -n +2 | grep -P "localhost\s+running\s+\d+" | wc -l) -ge $ZEEK_PROCS ]; do
for i in `seq 1 10`; do
sleep 1
done
done
popd >/dev/null 2>&1

47
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek Normal file
View File

@@ -0,0 +1,47 @@
#!/usr/bin/env zeek
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
@load ./extractor_params
global extractor_extract_mode = (getenv("ZEEK_EXTRACTOR_MODE") == "") ? extractor_extract_known : getenv("ZEEK_EXTRACTOR_MODE");
global extractor_max_size = (getenv("EXTRACTED_FILE_MAX_BYTES") == "") ? extractor_max_size_default : to_count(getenv("EXTRACTED_FILE_MAX_BYTES"));
redef FileExtract::prefix = (getenv("ZEEK_EXTRACTOR_PATH") == "") ? "./extract_files/" : getenv("ZEEK_EXTRACTOR_PATH");
event file_sniff(f: fa_file, meta: fa_metadata) {
# extract all files OR
if ((extractor_extract_mode == extractor_extract_all) ||
# we don't know the mime type and we always want to extract unknowns OR
((! meta?$mime_type) && extractor_always_extract_unknown) ||
# we only want to extract knowns and we know the mime type OR
((extractor_extract_mode == extractor_extract_known) && meta?$mime_type) ||
# we only want to extract mime->extension mapped files, we know the mimetype, and the mime type is mapped
((extractor_extract_mode == extractor_extract_mapped) && meta?$mime_type && (meta$mime_type in extractor_mime_to_ext_map))) {
local ext: string = "";
if (! meta?$mime_type)
ext = extractor_mime_to_ext_map["default"];
else if (meta$mime_type in extractor_mime_to_ext_map)
ext = extractor_mime_to_ext_map[meta$mime_type];
else
ext = split_string(meta$mime_type, /\//)[1];
local ftime: time = 0.0;
if (! f?$last_active)
ftime = f$last_active;
else
ftime = network_time();
local uid: string = "unknown";
if (f?$conns)
# todo this is a little hacky, figure out how to do this better
for (cid in f$conns) {
uid = f$conns[cid]$uid;
break;
}
local fname = fmt("%s-%s-%s-%s.%s", f$source, f$id, uid, strftime("%Y%m%d%H%M%S", ftime), ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname, $extract_limit=extractor_max_size]);
}
}

939
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek Normal file
View File

@@ -0,0 +1,939 @@
#!/usr/bin/env zeek
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
export {
const extractor_extract_none = "none" &redef;
const extractor_extract_known = "known" &redef;
const extractor_extract_mapped = "mapped" &redef;
const extractor_extract_all = "all" &redef;
const extractor_always_extract_unknown = F &redef;
const extractor_max_size_default = 268435456 &redef;
# wget -qO- http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types | egrep -v ^# | awk '{ for (i=2; i<=NF; i++) {print "[\x22"$1"\x22]"" = ""\x22"$i"\x22,"}}' | sort
const extractor_mime_to_ext_map : table[string] of string = {
["application/acad"]= "dwg",
["application/andrew-inset"]= "ez",
["application/annodex"]= "anx",
["application/applixware"]= "aw",
["application/atom+xml"]= "atom",
["application/atomcat+xml"]= "atomcat",
["application/atomsvc+xml"]= "atomsvc",
["application/binary"]= "bin",
["application/ccxml+xml"]= "ccxml",
["application/cdmi-capability"]= "cdmia",
["application/cdmi-container"]= "cdmic",
["application/cdmi-domain"]= "cdmid",
["application/cdmi-object"]= "cdmio",
["application/cdmi-queue"]= "cdmiq",
["application/cu-seeme"]= "cu",
["application/davmount+xml"]= "davmount",
["application/directx"]= "x",
["application/docbook+xml"]= "dbk",
["application/dssc+der"]= "dssc",
["application/dssc+xml"]= "xdssc",
["application/ecmascript"]= "es",
["application/emma+xml"]= "emma",
["application/envoy"]= "evy",
["application/epub+zip"]= "epub",
["application/etl"]= "etl",
["application/exi"]= "exi",
["application/font-sfnt"]= "ttf",
["application/fractals"]= "fif",
["application/fsharp-script"]= "fsscript",
["application/futuresplash"]= "spl",
["application/gml+xml"]= "gml",
["application/gpx+xml"]= "gpx",
["application/gxf"]= "gxf",
["application/hta"]= "hta",
["application/hyperstudio"]= "stk",
["application/inkml+xml"]= "inkml",
["application/internet-property-stream"]= "acx",
["application/ipfix"]= "ipfix",
["application/java-archive"]= "jar",
["application/java-serialized-object"]= "ser",
["application/java-vm"]= "class",
["application/javascript"]= "js",
["application/json"]= "json",
["application/jsonml+json"]= "jsonml",
["application/liquidmotion"]= "jck",
["application/lost+xml"]= "lostxml",
["application/mac-binhex40"]= "hqx",
["application/mac-compactpro"]= "cpt",
["application/mads+xml"]= "mads",
["application/marc"]= "mrc",
["application/marcxml+xml"]= "mrcx",
["application/mathematica"]= "ma",
["application/mathml+xml"]= "mathml",
["application/mbox"]= "mbox",
["application/mediaservercontrol+xml"]= "mscml",
["application/metalink+xml"]= "metalink",
["application/metalink4+xml"]= "meta4",
["application/mets+xml"]= "mets",
["application/mods+xml"]= "mods",
["application/mp21"]= "mp21",
["application/mp4"]= "mp4s",
["application/mpeg"]= "amc",
["application/ms-vsi"]= "vsi",
["application/msaccess"]= "accdb",
["application/msaccess.addin"]= "accda",
["application/msaccess.cab"]= "accdc",
["application/msaccess.ftemplate"]= "accft",
["application/msaccess.runtime"]= "accdr",
["application/msaccess.webapplication"]= "accdw",
["application/msexcel"]= "xls",
["application/mspowerpoint"]= "ppt",
["application/msword"]= "doc",
["application/mxf"]= "mxf",
["application/octet-stream"]= "bin",
["application/oda"]= "oda",
["application/oebps-package+xml"]= "opf",
["application/ogg"]= "ogx",
["application/olescript"]= "axs",
["application/omdoc+xml"]= "omdoc",
["application/onenote"]= "one",
["application/opensearchdescription+xml"]= "osdx",
["application/oxps"]= "oxps",
["application/patch-ops-error+xml"]= "xer",
["application/pdf"]= "pdf",
["application/pgp-encrypted"]= "pgp",
["application/pgp-signature"]= "pgp",
["application/pics-rules"]= "prf",
["application/pkcs10"]= "p10",
["application/pkcs7-mime"]= "p7c",
["application/pkcs7-signature"]= "p7s",
["application/pkcs8"]= "p8",
["application/pkix-attr-cert"]= "ac",
["application/pkix-cert"]= "cer",
["application/pkix-crl"]= "crl",
["application/pkix-pkipath"]= "pkipath",
["application/pkixcmp"]= "pki",
["application/pls+xml"]= "pls",
["application/postscript"]= "ps",
["application/PowerShell"]= "psc1",
["application/prs.cww"]= "cww",
["application/pskc+xml"]= "pskcxml",
["application/rat-file"]= "rat",
["application/rdf+xml"]= "rdf",
["application/reginfo+xml"]= "rif",
["application/relax-ng-compact-syntax"]= "rnc",
["application/resource-lists+xml"]= "rl",
["application/resource-lists-diff+xml"]= "rld",
["application/rls-services+xml"]= "rs",
["application/rpki-ghostbusters"]= "gbr",
["application/rpki-manifest"]= "mft",
["application/rpki-roa"]= "roa",
["application/rsd+xml"]= "rsd",
["application/rss+xml"]= "rss",
["application/rtf"]= "rtf",
["application/sbml+xml"]= "sbml",
["application/scvp-cv-request"]= "scq",
["application/scvp-cv-response"]= "scs",
["application/scvp-vp-request"]= "spq",
["application/scvp-vp-response"]= "spp",
["application/sdp"]= "sdp",
["application/set-payment-initiation"]= "setpay",
["application/set-registration-initiation"]= "setreg",
["application/shf+xml"]= "shf",
["application/smil+xml"]= "smil",
["application/sparql-query"]= "rq",
["application/sparql-results+xml"]= "srx",
["application/srgs"]= "gram",
["application/srgs+xml"]= "grxml",
["application/sru+xml"]= "sru",
["application/ssdl+xml"]= "ssdl",
["application/ssml+xml"]= "ssml",
["application/step"]= "step",
["application/streamingmedia"]= "ssm",
["application/tei+xml"]= "tei",
["application/thraud+xml"]= "tfi",
["application/timestamped-data"]= "tsd",
["application/vnd.3gpp.pic-bw-large"]= "plb",
["application/vnd.3gpp.pic-bw-small"]= "psb",
["application/vnd.3gpp.pic-bw-var"]= "pvb",
["application/vnd.3gpp2.tcap"]= "tcap",
["application/vnd.3m.post-it-notes"]= "pwn",
["application/vnd.accpac.simply.aso"]= "aso",
["application/vnd.accpac.simply.imp"]= "imp",
["application/vnd.acucobol"]= "acu",
["application/vnd.acucorp"]= "acutc",
["application/vnd.adobe.air-application-installer-package+zip"]= "air",
["application/vnd.adobe.formscentral.fcdt"]= "fcdt",
["application/vnd.adobe.fxp"]= "fxp",
["application/vnd.adobe.xdp+xml"]= "xdp",
["application/vnd.adobe.xfdf"]= "xfdf",
["application/vnd.ahead.space"]= "ahead",
["application/vnd.airzip.filesecure.azf"]= "azf",
["application/vnd.airzip.filesecure.azs"]= "azs",
["application/vnd.amazon.ebook"]= "azw",
["application/vnd.americandynamics.acc"]= "acc",
["application/vnd.amiga.ami"]= "ami",
["application/vnd.android.package-archive"]= "apk",
["application/vnd.anser-web-certificate-issue-initiation"]= "cii",
["application/vnd.anser-web-funds-transfer-initiation"]= "fti",
["application/vnd.antix.game-component"]= "atx",
["application/vnd.apple.installer+xml"]= "mpkg",
["application/vnd.apple.mpegurl"]= "m3u8",
["application/vnd.aristanetworks.swi"]= "swi",
["application/vnd.astraea-software.iota"]= "iota",
["application/vnd.audiograph"]= "aep",
["application/vnd.blueice.multipass"]= "mpm",
["application/vnd.bmi"]= "bmi",
["application/vnd.businessobjects"]= "rep",
["application/vnd.chemdraw+xml"]= "cdxml",
["application/vnd.chipnuts.karaoke-mmd"]= "mmd",
["application/vnd.cinderella"]= "cdy",
["application/vnd.claymore"]= "cla",
["application/vnd.cloanto.rp9"]= "rp9",
["application/vnd.clonk.c4group"]= "c4g",
["application/vnd.cluetrust.cartomobile-config"]= "c11amc",
["application/vnd.cluetrust.cartomobile-config-pkg"]= "c11amz",
["application/vnd.commonspace"]= "csp",
["application/vnd.contact.cmsg"]= "cdbcmsg",
["application/vnd.cosmocaller"]= "cmc",
["application/vnd.crick.clicker"]= "clkx",
["application/vnd.crick.clicker.keyboard"]= "clkk",
["application/vnd.crick.clicker.palette"]= "clkp",
["application/vnd.crick.clicker.template"]= "clkt",
["application/vnd.crick.clicker.wordbank"]= "clkw",
["application/vnd.criticaltools.wbs+xml"]= "wbs",
["application/vnd.ctc-posml"]= "pml",
["application/vnd.cups-ppd"]= "ppd",
["application/vnd.curl.car"]= "car",
["application/vnd.curl.pcurl"]= "pcurl",
["application/vnd.dart"]= "dart",
["application/vnd.data-vision.rdz"]= "rdz",
["application/vnd.dece.data"]= "uvd",
["application/vnd.dece.ttml+xml"]= "uvt",
["application/vnd.dece.unspecified"]= "uvx",
["application/vnd.dece.zip"]= "uvz",
["application/vnd.denovo.fcselayout-link"]= "fe_launch",
["application/vnd.dna"]= "dna",
["application/vnd.dolby.mlp"]= "mlp",
["application/vnd.dpgraph"]= "dpg",
["application/vnd.dreamfactory"]= "dfac",
["application/vnd.ds-keypoint"]= "kpxx",
["application/vnd.dvb.ait"]= "ait",
["application/vnd.dvb.service"]= "svc",
["application/vnd.dynageo"]= "geo",
["application/vnd.ecowin.chart"]= "mag",
["application/vnd.enliven"]= "nml",
["application/vnd.epson.esf"]= "esf",
["application/vnd.epson.msf"]= "msf",
["application/vnd.epson.quickanime"]= "qam",
["application/vnd.epson.salt"]= "slt",
["application/vnd.epson.ssf"]= "ssf",
["application/vnd.eszigno3+xml"]= "es3",
["application/vnd.ezpix-album"]= "ez2",
["application/vnd.ezpix-package"]= "ez3",
["application/vnd.fdf"]= "fdf",
["application/vnd.fdsn.mseed"]= "mseed",
["application/vnd.fdsn.seed"]= "seed",
["application/vnd.flographit"]= "gph",
["application/vnd.fluxtime.clip"]= "ftc",
["application/vnd.framemaker"]= "fm",
["application/vnd.frogans.fnc"]= "fnc",
["application/vnd.frogans.ltf"]= "ltf",
["application/vnd.fsc.weblaunch"]= "fsc",
["application/vnd.fujitsu.oasys"]= "oas",
["application/vnd.fujitsu.oasys2"]= "oa2",
["application/vnd.fujitsu.oasys3"]= "oa3",
["application/vnd.fujitsu.oasysgp"]= "fg5",
["application/vnd.fujitsu.oasysprs"]= "bh2",
["application/vnd.fujixerox.ddd"]= "ddd",
["application/vnd.fujixerox.docuworks"]= "xdw",
["application/vnd.fujixerox.docuworks.binder"]= "xbd",
["application/vnd.fuzzysheet"]= "fzs",
["application/vnd.genomatix.tuxedo"]= "txd",
["application/vnd.geogebra.file"]= "ggb",
["application/vnd.geogebra.tool"]= "ggt",
["application/vnd.geometry-explorer"]= "gex",
["application/vnd.geonext"]= "gxt",
["application/vnd.geoplan"]= "g2w",
["application/vnd.geospace"]= "g3w",
["application/vnd.gmx"]= "gmx",
["application/vnd.google-earth.kml+xml"]= "kml",
["application/vnd.google-earth.kmz"]= "kmz",
["application/vnd.grafeq"]= "gqf",
["application/vnd.groove-account"]= "gac",
["application/vnd.groove-help"]= "ghf",
["application/vnd.groove-identity-message"]= "gim",
["application/vnd.groove-injector"]= "grv",
["application/vnd.groove-tool-message"]= "gtm",
["application/vnd.groove-tool-template"]= "tpl",
["application/vnd.groove-vcard"]= "vcg",
["application/vnd.hal+xml"]= "hal",
["application/vnd.handheld-entertainment+xml"]= "zmm",
["application/vnd.hbci"]= "hbci",
["application/vnd.hhe.lesson-player"]= "les",
["application/vnd.hp-hpgl"]= "hpgl",
["application/vnd.hp-hpid"]= "hpid",
["application/vnd.hp-hps"]= "hps",
["application/vnd.hp-jlyt"]= "jlt",
["application/vnd.hp-pcl"]= "pcl",
["application/vnd.hp-pclxl"]= "pclxl",
["application/vnd.hydrostatix.sof-data"]= "sfd-hdstx",
["application/vnd.ibm.minipay"]= "mpy",
["application/vnd.ibm.modcap"]= "afp",
["application/vnd.ibm.rights-management"]= "irm",
["application/vnd.ibm.secure-container"]= "sc",
["application/vnd.iccprofile"]= "icc",
["application/vnd.igloader"]= "igl",
["application/vnd.immervision-ivp"]= "ivp",
["application/vnd.immervision-ivu"]= "ivu",
["application/vnd.insors.igm"]= "igm",
["application/vnd.intercon.formnet"]= "xpw",
["application/vnd.intergeo"]= "i2g",
["application/vnd.intu.qbo"]= "qbo",
["application/vnd.intu.qfx"]= "qfx",
["application/vnd.ipunplugged.rcprofile"]= "rcprofile",
["application/vnd.irepository.package+xml"]= "irp",
["application/vnd.is-xpr"]= "xpr",
["application/vnd.isac.fcs"]= "fcs",
["application/vnd.jam"]= "jam",
["application/vnd.jcp.javame.midlet-rms"]= "rms",
["application/vnd.jisp"]= "jisp",
["application/vnd.joost.joda-archive"]= "joda",
["application/vnd.kahootz"]= "ktz",
["application/vnd.kde.karbon"]= "karbon",
["application/vnd.kde.kchart"]= "chrt",
["application/vnd.kde.kformula"]= "kfo",
["application/vnd.kde.kivio"]= "flw",
["application/vnd.kde.kontour"]= "kon",
["application/vnd.kde.kpresenter"]= "kpt",
["application/vnd.kde.kspread"]= "ksp",
["application/vnd.kde.kword"]= "kwd",
["application/vnd.kenameaapp"]= "htke",
["application/vnd.kidspiration"]= "kia",
["application/vnd.kinar"]= "kne",
["application/vnd.koan"]= "skd",
["application/vnd.kodak-descriptor"]= "sse",
["application/vnd.las.las+xml"]= "lasxml",
["application/vnd.llamagraphics.life-balance.desktop"]= "lbd",
["application/vnd.llamagraphics.life-balance.exchange+xml"]= "lbe",
["application/vnd.lotus-1-2-3"]= "123",
["application/vnd.lotus-approach"]= "apr",
["application/vnd.lotus-freelance"]= "pre",
["application/vnd.lotus-notes"]= "nsf",
["application/vnd.lotus-organizer"]= "org",
["application/vnd.lotus-screencam"]= "scm",
["application/vnd.lotus-wordpro"]= "lwp",
["application/vnd.macports.portpkg"]= "portpkg",
["application/vnd.mcd"]= "mcd",
["application/vnd.medcalcdata"]= "mc1",
["application/vnd.mediastation.cdkey"]= "cdkey",
["application/vnd.mfer"]= "mwf",
["application/vnd.mfmp"]= "mfm",
["application/vnd.micrografx.flo"]= "flo",
["application/vnd.micrografx.igx"]= "igx",
["application/vnd.microsoft.portable-executable"]= "exe",
["application/vnd.mif"]= "mif",
["application/vnd.mobius.daf"]= "daf",
["application/vnd.mobius.dis"]= "dis",
["application/vnd.mobius.mbk"]= "mbk",
["application/vnd.mobius.mqy"]= "mqy",
["application/vnd.mobius.msl"]= "msl",
["application/vnd.mobius.plc"]= "plc",
["application/vnd.mobius.txf"]= "txf",
["application/vnd.mophun.application"]= "mpn",
["application/vnd.mophun.certificate"]= "mpc",
["application/vnd.mozilla.xul+xml"]= "xul",
["application/vnd.ms-artgalry"]= "cil",
["application/vnd.ms-cab-compressed"]= "cab",
["application/vnd.ms-excel"]= "xls",
["application/vnd.ms-excel.addin.macroEnabled.12"]= "xlam",
["application/vnd.ms-excel.addin.macroenabled.12"]= "xlam",
["application/vnd.ms-excel.sheet.binary.macroEnabled.12"]= "xlsb",
["application/vnd.ms-excel.sheet.binary.macroenabled.12"]= "xlsb",
["application/vnd.ms-excel.sheet.macroEnabled.12"]= "xlsm",
["application/vnd.ms-excel.sheet.macroenabled.12"]= "xlsm",
["application/vnd.ms-excel.template.macroEnabled.12"]= "xltm",
["application/vnd.ms-excel.template.macroenabled.12"]= "xltm",
["application/vnd.ms-fontobject"]= "eot",
["application/vnd.ms-htmlhelp"]= "chm",
["application/vnd.ms-ims"]= "ims",
["application/vnd.ms-lrm"]= "lrm",
["application/vnd.ms-mediapackage"]= "mpf",
["application/vnd.ms-office.calx"]= "calx",
["application/vnd.ms-officetheme"]= "thmx",
["application/vnd.ms-outlook"]= "msg",
["application/vnd.ms-pki.certstore"]= "sst",
["application/vnd.ms-pki.pko"]= "pko",
["application/vnd.ms-pki.seccat"]= "cat",
["application/vnd.ms-pki.stl"]= "stl",
["application/vnd.ms-powerpoint"]= "ppt",
["application/vnd.ms-powerpoint.addin.macroEnabled.12"]= "ppam",
["application/vnd.ms-powerpoint.addin.macroenabled.12"]= "ppam",
["application/vnd.ms-powerpoint.presentation.macroEnabled.12"]= "pptm",
["application/vnd.ms-powerpoint.presentation.macroenabled.12"]= "pptm",
["application/vnd.ms-powerpoint.slide.macroEnabled.12"]= "sldm",
["application/vnd.ms-powerpoint.slide.macroenabled.12"]= "sldm",
["application/vnd.ms-powerpoint.slideshow.macroEnabled.12"]= "ppsm",
["application/vnd.ms-powerpoint.slideshow.macroenabled.12"]= "ppsm",
["application/vnd.ms-powerpoint.template.macroEnabled.12"]= "potm",
["application/vnd.ms-powerpoint.template.macroenabled.12"]= "potm",
["application/vnd.ms-project"]= "mpt",
["application/vnd.ms-visio.viewer"]= "vdx",
["application/vnd.ms-word.document.macroEnabled.12"]= "docm",
["application/vnd.ms-word.document.macroenabled.12"]= "docm",
["application/vnd.ms-word.template.macroEnabled.12"]= "dotm",
["application/vnd.ms-word.template.macroenabled.12"]= "dotm",
["application/vnd.ms-works"]= "wks",
["application/vnd.ms-wpl"]= "wpl",
["application/vnd.ms-xpsdocument"]= "xps",
["application/vnd.mseq"]= "mseq",
["application/vnd.musician"]= "mus",
["application/vnd.muvee.style"]= "msty",
["application/vnd.mynfc"]= "taglet",
["application/vnd.neurolanguage.nlu"]= "nlu",
["application/vnd.nitf"]= "nitf",
["application/vnd.noblenet-directory"]= "nnd",
["application/vnd.noblenet-sealer"]= "nns",
["application/vnd.noblenet-web"]= "nnw",
["application/vnd.nokia.n-gage.data"]= "ngdat",
["application/vnd.nokia.n-gage.symbian.install"]= "n-gage",
["application/vnd.nokia.radio-preset"]= "rpst",
["application/vnd.nokia.radio-presets"]= "rpss",
["application/vnd.novadigm.edm"]= "edm",
["application/vnd.novadigm.edx"]= "edx",
["application/vnd.novadigm.ext"]= "ext",
["application/vnd.oasis.opendocument.chart"]= "odc",
["application/vnd.oasis.opendocument.chart-template"]= "otc",
["application/vnd.oasis.opendocument.database"]= "odb",
["application/vnd.oasis.opendocument.formula"]= "odf",
["application/vnd.oasis.opendocument.formula-template"]= "odft",
["application/vnd.oasis.opendocument.graphics"]= "odg",
["application/vnd.oasis.opendocument.graphics-template"]= "otg",
["application/vnd.oasis.opendocument.image"]= "odi",
["application/vnd.oasis.opendocument.image-template"]= "oti",
["application/vnd.oasis.opendocument.presentation"]= "odp",
["application/vnd.oasis.opendocument.presentation-template"]= "otp",
["application/vnd.oasis.opendocument.spreadsheet"]= "ods",
["application/vnd.oasis.opendocument.spreadsheet-template"]= "ots",
["application/vnd.oasis.opendocument.text"]= "odt",
["application/vnd.oasis.opendocument.text-master"]= "odm",
["application/vnd.oasis.opendocument.text-template"]= "ott",
["application/vnd.oasis.opendocument.text-web"]= "oth",
["application/vnd.olpc-sugar"]= "xo",
["application/vnd.oma.dd2+xml"]= "dd2",
["application/vnd.openofficeorg.extension"]= "oxt",
["application/vnd.openxmlformats-officedocument.presentationml.presentation"]= "pptx",
["application/vnd.openxmlformats-officedocument.presentationml.slide"]= "sldx",
["application/vnd.openxmlformats-officedocument.presentationml.slideshow"]= "ppsx",
["application/vnd.openxmlformats-officedocument.presentationml.template"]= "potx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"]= "xlsx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.template"]= "xltx",
["application/vnd.openxmlformats-officedocument.wordprocessingml.document"]= "docx",
["application/vnd.openxmlformats-officedocument.wordprocessingml.template"]= "dotx",
["application/vnd.osgeo.mapguide.package"]= "mgp",
["application/vnd.osgi.dp"]= "dp",
["application/vnd.osgi.subsystem"]= "esa",
["application/vnd.palm"]= "pdb",
["application/vnd.pawaafile"]= "paw",
["application/vnd.pg.format"]= "str",
["application/vnd.pg.osasli"]= "ei6",
["application/vnd.picsel"]= "efif",
["application/vnd.pmi.widget"]= "wg",
["application/vnd.pocketlearn"]= "plf",
["application/vnd.powerbuilder6"]= "pbd",
["application/vnd.previewsystems.box"]= "box",
["application/vnd.proteus.magazine"]= "mgz",
["application/vnd.publishare-delta-tree"]= "qps",
["application/vnd.pvi.ptid1"]= "ptid",
["application/vnd.quark.quarkxpress"]= "qxt",
["application/vnd.realvnc.bed"]= "bed",
["application/vnd.recordare.musicxml"]= "mxl",
["application/vnd.recordare.musicxml+xml"]= "musicxml",
["application/vnd.rig.cryptonote"]= "cryptonote",
["application/vnd.rim.cod"]= "cod",
["application/vnd.rn-realmedia"]= "rm",
["application/vnd.rn-realmedia-vbr"]= "rmvb",
["application/vnd.rn-rn_music_package"]= "rmp",
["application/vnd.route66.link66+xml"]= "link66",
["application/vnd.sailingtracker.track"]= "st",
["application/vnd.seemail"]= "see",
["application/vnd.sema"]= "sema",
["application/vnd.semd"]= "semd",
["application/vnd.semf"]= "semf",
["application/vnd.shana.informed.formdata"]= "ifm",
["application/vnd.shana.informed.formtemplate"]= "itp",
["application/vnd.shana.informed.interchange"]= "iif",
["application/vnd.shana.informed.package"]= "ipk",
["application/vnd.simtech-mindmapper"]= "twd",
["application/vnd.smaf"]= "mmf",
["application/vnd.smart.teacher"]= "teacher",
["application/vnd.solent.sdkm+xml"]= "sdkm",
["application/vnd.spotfire.dxp"]= "dxp",
["application/vnd.spotfire.sfs"]= "sfs",
["application/vnd.stardivision.calc"]= "sdc",
["application/vnd.stardivision.draw"]= "sda",
["application/vnd.stardivision.impress"]= "sdd",
["application/vnd.stardivision.math"]= "smf",
["application/vnd.stardivision.writer"]= "sdw",
["application/vnd.stardivision.writer-global"]= "sgl",
["application/vnd.stepmania.package"]= "smzip",
["application/vnd.stepmania.stepchart"]= "sm",
["application/vnd.sun.xml.calc"]= "sxc",
["application/vnd.sun.xml.calc.template"]= "stc",
["application/vnd.sun.xml.draw"]= "sxd",
["application/vnd.sun.xml.draw.template"]= "std",
["application/vnd.sun.xml.impress"]= "sxi",
["application/vnd.sun.xml.impress.template"]= "sti",
["application/vnd.sun.xml.math"]= "sxm",
["application/vnd.sun.xml.writer"]= "sxw",
["application/vnd.sun.xml.writer.global"]= "sxg",
["application/vnd.sun.xml.writer.template"]= "stw",
["application/vnd.sus-calendar"]= "sus",
["application/vnd.svd"]= "svd",
["application/vnd.symbian.install"]= "sis",
["application/vnd.syncml+xml"]= "xsm",
["application/vnd.syncml.dm+wbxml"]= "bdm",
["application/vnd.syncml.dm+xml"]= "xdm",
["application/vnd.tao.intent-module-archive"]= "tao",
["application/vnd.tcpdump.pcap"]= "pcap",
["application/vnd.tmobile-livetv"]= "tmo",
["application/vnd.trid.tpt"]= "tpt",
["application/vnd.triscape.mxs"]= "mxs",
["application/vnd.trueapp"]= "tra",
["application/vnd.ufdl"]= "ufdl",
["application/vnd.uiq.theme"]= "utz",
["application/vnd.umajin"]= "umj",
["application/vnd.unity"]= "unityweb",
["application/vnd.uoml+xml"]= "uoml",
["application/vnd.vcx"]= "vcx",
["application/vnd.visio"]= "vsd",
["application/vnd.visionary"]= "vis",
["application/vnd.vsf"]= "vsf",
["application/vnd.wap.wbxml"]= "wbxml",
["application/vnd.wap.wmlc"]= "wmlc",
["application/vnd.wap.wmlscriptc"]= "wmlsc",
["application/vnd.webturbo"]= "wtb",
["application/vnd.wolfram.player"]= "nbp",
["application/vnd.wordperfect"]= "wpd",
["application/vnd.wqd"]= "wqd",
["application/vnd.wt.stf"]= "stf",
["application/vnd.xara"]= "xar",
["application/vnd.xfdl"]= "xfdl",
["application/vnd.yamaha.hv-dic"]= "hvd",
["application/vnd.yamaha.hv-script"]= "hvs",
["application/vnd.yamaha.hv-voice"]= "hvp",
["application/vnd.yamaha.openscoreformat"]= "osf",
["application/vnd.yamaha.openscoreformat.osfpvg+xml"]= "osfpvg",
["application/vnd.yamaha.smaf-audio"]= "saf",
["application/vnd.yamaha.smaf-phrase"]= "spf",
["application/vnd.yellowriver-custom-menu"]= "cmp",
["application/vnd.zul"]= "zir",
["application/vnd.zzazz.deck+xml"]= "zaz",
["application/voicexml+xml"]= "vxml",
["application/vsix"]= "vsix",
["application/wasm"]= "wasm",
["application/widget"]= "wgt",
["application/windows-library+xml"]= "library-ms",
["application/windows-search-connector+xml"]= "searchConnector-ms",
["application/winhlp"]= "hlp",
["application/wlmoviemaker"]= "WLMP",
["application/wsdl+xml"]= "wsdl",
["application/wspolicy+xml"]= "wspolicy",
["application/x-7z-compressed"]= "7z",
["application/x-abiword"]= "abw",
["application/x-ace-compressed"]= "ace",
["application/x-apple-diskimage"]= "dmg",
["application/x-authorware-bin"]= "aab",
["application/x-authorware-map"]= "aam",
["application/x-authorware-seg"]= "aas",
["application/x-bcpio"]= "bcpio",
["application/x-bittorrent"]= "torrent",
["application/x-blorb"]= "blorb",
["application/x-bridge-url"]= "adobebridge",
["application/x-bzip"]= "bz",
["application/x-bzip2"]= "bz2",
["application/x-cbr"]= "cbr",
["application/x-cdlink"]= "vcd",
["application/x-cfs-compressed"]= "cfs",
["application/x-chat"]= "chat",
["application/x-chess-pgn"]= "pgn",
["application/x-compress"]= "z",
["application/x-compressed"]= "tgz",
["application/x-conference"]= "nsc",
["application/x-cpio"]= "cpio",
["application/x-csh"]= "csh",
["application/x-debian-package"]= "deb",
["application/x-dgc-compressed"]= "dgc",
["application/x-director"]= "dir",
["application/x-doom"]= "wad",
["application/x-dosexec"]= "exe",
["application/x-dtbncx+xml"]= "ncx",
["application/x-dtbook+xml"]= "dtb",
["application/x-dtbresource+xml"]= "res",
["application/x-dvi"]= "dvi",
["application/x-dxf"]= "dxf",
["application/x-elf"]= "elf",
["application/x-envoy"]= "evy",
["application/x-eva"]= "eva",
["application/x-executable"]= "exe",
["application/x-font-bdf"]= "bdf",
["application/x-font-ghostscript"]= "gsf",
["application/x-font-linux-psf"]= "psf",
["application/x-font-pcf"]= "pcf",
["application/x-font-snf"]= "snf",
["application/x-font-type1"]= "pfm",
["application/x-freearc"]= "arc",
["application/x-futuresplash"]= "spl",
["application/x-gca-compressed"]= "gca",
["application/x-glulx"]= "ulx",
["application/x-gnumeric"]= "gnumeric",
["application/x-gramps-xml"]= "gramps",
["application/x-gtar"]= "gtar",
["application/x-gzip"]= "gz",
["application/x-hdf"]= "hdf",
["application/x-install-instructions"]= "install",
["application/x-internet-signup"]= "isp",
["application/x-iphone"]= "iii",
["application/x-iso9660-image"]= "iso",
["application/x-itunes-ipa"]= "ipa",
["application/x-itunes-ipg"]= "ipg",
["application/x-itunes-ipsw"]= "ipsw",
["application/x-itunes-ite"]= "ite",
["application/x-itunes-itlp"]= "itlp",
["application/x-itunes-itms"]= "itms",
["application/x-itunes-itpc"]= "itpc",
["application/x-java-applet"]= "class",
["application/x-java-jnlp-file"]= "jnlp",
["application/x-koan"]= "skp",
["application/x-latex"]= "latex",
["application/x-lzh-compressed"]= "lzh",
["application/x-mie"]= "mie",
["application/x-miva-compiled"]= "mvc",
["application/x-mmxp"]= "mxp",
["application/x-mobipocket-ebook"]= "mobi",
["application/x-ms-application"]= "application",
["application/x-ms-installer"]= "msi",
["application/x-ms-license"]= "slupkg-ms",
["application/x-ms-manifest"]= "manifest",
["application/x-ms-reader"]= "lit",
["application/x-ms-shortcut"]= "lnk",
["application/x-ms-vsto"]= "vsto",
["application/x-ms-wmd"]= "wmd",
["application/x-ms-wmz"]= "wmz",
["application/x-ms-xbap"]= "xbap",
["application/x-msaccess"]= "mdb",
["application/x-msbinder"]= "obd",
["application/x-mscardfile"]= "crd",
["application/x-msclip"]= "clp",
["application/x-msdos-program"]= "exe",
["application/x-msdownload"]= "exe",
["application/x-msmediaview"]= "mvb",
["application/x-msmetafile"]= "wmf",
["application/x-msmoney"]= "mny",
["application/x-mspublisher"]= "pub",
["application/x-msschedule"]= "scd",
["application/x-msterminal"]= "trm",
["application/x-mswrite"]= "wri",
["application/x-netcdf"]= "cdf",
["application/x-nzb"]= "nzb",
["application/x-oleobject"]= "hhc",
["application/x-pcapng"]= "pcap",
["application/x-pe-app-32bit-i386"]= "exe",
["application/x-perfmon"]= "pmw",
["application/x-perl"]= "pl",
["application/x-pkcs12"]= "p12",
["application/x-pkcs7-certificates"]= "p7b",
["application/x-pkcs7-certreqresp"]= "p7r",
["application/x-podcast"]= "pcast",
["application/x-python"]= "py",
["application/x-quicktimeplayer"]= "qtl",
["application/x-rar-compressed"]= "rar",
["application/x-research-info-systems"]= "ris",
["application/x-safari-safariextz"]= "safariextz",
["application/x-safari-webarchive"]= "webarchive",
["application/x-sgimb"]= "sgimb",
["application/x-sh"]= "sh",
["application/x-shar"]= "shar",
["application/x-sharedlib"]= "lib",
["application/x-shockwave-flash"]= "swf",
["application/x-silverlight-app"]= "xap",
["application/x-smaf"]= "mmf",
["application/x-sql"]= "sql",
["application/x-stuffit"]= "sit",
["application/x-stuffitx"]= "sitx",
["application/x-subrip"]= "srt",
["application/x-sv4cpio"]= "sv4cpio",
["application/x-sv4crc"]= "sv4crc",
["application/x-t3vm-image"]= "t3",
["application/x-tads"]= "gam",
["application/x-tar"]= "tar",
["application/x-tcl"]= "tcl",
["application/x-tex"]= "tex",
["application/x-tex-tfm"]= "tfm",
["application/x-texinfo"]= "texinfo",
["application/x-tgif"]= "obj",
["application/x-troff"]= "tr",
["application/x-troff-man"]= "man",
["application/x-troff-me"]= "me",
["application/x-troff-ms"]= "ms",
["application/x-ustar"]= "ustar",
["application/x-wais-source"]= "src",
["application/x-wlpg-detect"]= "wlpginstall",
["application/x-wlpg3-detect"]= "wlpginstall3",
["application/x-x509-ca-cert"]= "crt",
["application/x-xfig"]= "fig",
["application/x-xliff+xml"]= "xlf",
["application/x-xpinstall"]= "xpi",
["application/x-xz"]= "xz",
["application/x-zip-compressed"]= "zip",
["application/x-zmachine"]= "z1",
["application/xaml+xml"]= "xaml",
["application/xcap-diff+xml"]= "xdf",
["application/xenc+xml"]= "xenc",
["application/xhtml+xml"]= "xhtml",
["application/xml"]= "xml",
["application/xml-dtd"]= "dtd",
["application/xop+xml"]= "xop",
["application/xproc+xml"]= "xpl",
["application/xslt+xml"]= "xslt",
["application/xspf+xml"]= "xspf",
["application/xv+xml"]= "xvml",
["application/yang"]= "yang",
["application/yin+xml"]= "yin",
["application/zip"]= "zip",
["audio/aac"]= "aac",
["audio/ac3"]= "ac3",
["audio/adpcm"]= "adp",
["audio/aiff"]= "aiff",
["audio/annodex"]= "axa",
["audio/audible"]= "aa",
["audio/basic"]= "au",
["audio/flac"]= "flac",
["audio/m4a"]= "m4a",
["audio/m4b"]= "m4b",
["audio/m4p"]= "m4p",
["audio/mid"]= "midi",
["audio/midi"]= "midi",
["audio/mp4"]= "m4a",
["audio/mpeg"]= "mp3",
["audio/ogg"]= "ogg",
["audio/s3m"]= "s3m",
["audio/scpls"]= "pls",
["audio/silk"]= "sil",
["audio/vnd.audible.aax"]= "aax",
["audio/vnd.dece.audio"]= "uva",
["audio/vnd.digital-winds"]= "eol",
["audio/vnd.dlna.adts"]= "ADT",
["audio/vnd.dra"]= "dra",
["audio/vnd.dts"]= "dts",
["audio/vnd.dts.hd"]= "dtshd",
["audio/vnd.lucent.voice"]= "lvp",
["audio/vnd.ms-playready.media.pya"]= "pya",
["audio/vnd.nuera.ecelp4800"]= "ecelp4800",
["audio/vnd.nuera.ecelp7470"]= "ecelp7470",
["audio/vnd.nuera.ecelp9600"]= "ecelp9600",
["audio/vnd.rip"]= "rip",
["audio/wav"]= "wav",
["audio/webm"]= "weba",
["audio/x-aac"]= "aac",
["audio/x-aiff"]= "aiff",
["audio/x-caf"]= "caf",
["audio/x-flac"]= "flac",
["audio/x-gsm"]= "gsm",
["audio/x-m4a"]= "m4a",
["audio/x-m4r"]= "m4r",
["audio/x-matroska"]= "mka",
["audio/x-mpegurl"]= "m3u",
["audio/x-ms-wax"]= "wax",
["audio/x-ms-wma"]= "wma",
["audio/x-pn-realaudio"]= "ra",
["audio/x-pn-realaudio-plugin"]= "rmp",
["audio/x-sd2"]= "sd2",
["audio/x-smd"]= "smd",
["audio/x-wav"]= "wav",
["audio/xm"]= "xm",
["chemical/x-cdx"]= "cdx",
["chemical/x-cif"]= "cif",
["chemical/x-cmdf"]= "cmdf",
["chemical/x-cml"]= "cml",
["chemical/x-csml"]= "csml",
["chemical/x-xyz"]= "xyz",
["drawing/x-dwf"]= "dwf",
["font/collection"]= "ttc",
["font/otf"]= "otf",
["font/ttf"]= "ttf",
["font/woff"]= "woff",
["font/woff2"]= "woff2",
["image/bmp"]= "bmp",
["image/cgm"]= "cgm",
["image/cis-cod"]= "cod",
["image/g3fax"]= "g3",
["image/gif"]= "gif",
["image/ief"]= "ief",
["image/jpeg"]= "jpg",
["image/ktx"]= "ktx",
["image/pict"]= "pict",
["image/pjpeg"]= "jfif",
["image/png"]= "png",
["image/prs.btif"]= "btif",
["image/sgi"]= "sgi",
["image/svg+xml"]= "svg",
["image/tiff"]= "tiff",
["image/vnd.adobe.photoshop"]= "psd",
["image/vnd.dece.graphic"]= "uvg",
["image/vnd.djvu"]= "djvu",
["image/vnd.dvb.subtitle"]= "sub",
["image/vnd.dwg"]= "dwg",
["image/vnd.dxf"]= "dxf",
["image/vnd.fastbidsheet"]= "fbs",
["image/vnd.fpx"]= "fpx",
["image/vnd.fst"]= "fst",
["image/vnd.fujixerox.edmics-mmr"]= "mmr",
["image/vnd.fujixerox.edmics-rlc"]= "rlc",
["image/vnd.ms-modi"]= "mdi",
["image/vnd.ms-photo"]= "wdp",
["image/vnd.net-fpx"]= "npx",
["image/vnd.rn-realflash"]= "rf",
["image/vnd.wap.wbmp"]= "wbmp",
["image/vnd.xiff"]= "xif",
["image/webp"]= "webp",
["image/x-3ds"]= "3ds",
["image/x-cmu-raster"]= "ras",
["image/x-cmx"]= "cmx",
["image/x-freehand"]= "fh",
["image/x-gif"]= "gif",
["image/x-icon"]= "ico",
["image/x-jg"]= "art",
["image/x-jpeg"]= "jpg",
["image/x-macpaint"]= "mac",
["image/x-mrsid-image"]= "sid",
["image/x-pcx"]= "pcx",
["image/x-pict"]= "pic",
["image/x-png"]= "png",
["image/x-portable-anymap"]= "pnm",
["image/x-portable-bitmap"]= "pbm",
["image/x-portable-graymap"]= "pgm",
["image/x-portable-pixmap"]= "ppm",
["image/x-quicktime"]= "qti",
["image/x-rgb"]= "rgb",
["image/x-tga"]= "tga",
["image/x-xbitmap"]= "xbm",
["image/x-xpixmap"]= "xpm",
["image/x-xwindowdump"]= "xwd",
["message/rfc822"]= "eml",
["model/iges"]= "iges",
["model/mesh"]= "mesh",
["model/vnd.collada+xml"]= "dae",
["model/vnd.dwf"]= "dwf",
["model/vnd.gdl"]= "gdl",
["model/vnd.gtw"]= "gtw",
["model/vnd.mts"]= "mts",
["model/vnd.vtu"]= "vtu",
["model/vrml"]= "vrml",
["model/x3d+binary"]= "x3db",
["model/x3d+vrml"]= "x3dv",
["model/x3d+xml"]= "x3d",
["text/cache-manifest"]= "appcache",
["text/calendar"]= "ics",
["text/css"]= "css",
["text/csv"]= "csv",
["text/dlm"]= "dlm",
["text/h323"]= "323",
["text/html"]= "html",
["text/iuls"]= "uls",
["text/jscript"]= "jsx",
["text/n3"]= "n3",
["text/plain"]= "txt",
["text/prs.lines.tag"]= "dsc",
["text/richtext"]= "rtx",
["text/rtf"]= "rtf",
["text/scriptlet"]= "sct",
["text/sgml"]= "sgml",
["text/tab-separated-values"]= "tsv",
["text/troff"]= "tr",
["text/uri-list"]= "uri",
["text/vbscript"]= "vbs",
["text/vcard"]= "vcard",
["text/vnd.curl"]= "curl",
["text/vnd.curl.dcurl"]= "dcurl",
["text/vnd.curl.mcurl"]= "mcurl",
["text/vnd.curl.scurl"]= "scurl",
["text/vnd.dvb.subtitle"]= "sub",
["text/vnd.fly"]= "fly",
["text/vnd.fmi.flexstor"]= "flx",
["text/vnd.graphviz"]= "gv",
["text/vnd.in3d.3dml"]= "3dml",
["text/vnd.in3d.spot"]= "spot",
["text/vnd.sun.j2me.app-descriptor"]= "jad",
["text/vnd.wap.wml"]= "wml",
["text/vnd.wap.wmlscript"]= "wmls",
["text/vtt"]= "vtt",
["text/webviewhtml"]= "htt",
["text/x-asm"]= "asm",
["text/x-c"]= "c",
["text/x-component"]= "htc",
["text/x-fortran"]= "f",
["text/x-hdml"]= "hdml",
["text/x-html-insertion"]= "qhtm",
["text/x-java-source"]= "java",
["text/x-ms-contact"]= "contact",
["text/x-ms-group"]= "group",
["text/x-ms-iqy"]= "iqy",
["text/x-ms-rqy"]= "rqy",
["text/x-nfo"]= "nfo",
["text/x-opml"]= "opml",
["text/x-pascal"]= "pas",
["text/x-setext"]= "etx",
["text/x-sfv"]= "sfv",
["text/x-uuencode"]= "uu",
["text/x-vcalendar"]= "vcs",
["text/x-vcard"]= "vcf",
["text/xml"]= "xml",
["video/3gpp"]= "3gp",
["video/3gpp2"]= "3g2",
["video/annodex"]= "axv",
["video/divx"]= "divx",
["video/h261"]= "h261",
["video/h263"]= "h263",
["video/h264"]= "h264",
["video/jpeg"]= "jpgv",
["video/jpm"]= "jpm",
["video/mj2"]= "mj2",
["video/mp4"]= "mp4",
["video/mpeg"]= "mpg",
["video/ogg"]= "ogv",
["video/quicktime"]= "mov",
["video/vnd.dece.hd"]= "uvh",
["video/vnd.dece.mobile"]= "uvm",
["video/vnd.dece.pd"]= "uvp",
["video/vnd.dece.sd"]= "uvs",
["video/vnd.dece.video"]= "uvv",
["video/vnd.dlna.mpeg-tts"]= "m2t",
["video/vnd.dvb.file"]= "dvb",
["video/vnd.fvt"]= "fvt",
["video/vnd.mpegurl"]= "m4u",
["video/vnd.ms-playready.media.pyv"]= "pyv",
["video/vnd.uvvu.mp4"]= "uvu",
["video/vnd.vivo"]= "viv",
["video/webm"]= "webm",
["video/x-dv"]= "dv",
["video/x-f4v"]= "f4v",
["video/x-fli"]= "fli",
["video/x-flv"]= "flv",
["video/x-ivf"]= "IVF",
["video/x-la-asf"]= "lsf",
["video/x-m4v"]= "m4v",
["video/x-matroska"]= "mkv",
["video/x-matroska-3d"]= "mk3d",
["video/x-mng"]= "mng",
["video/x-ms-asf"]= "asf",
["video/x-ms-vob"]= "vob",
["video/x-ms-wm"]= "wm",
["video/x-ms-wmp"]= "wmp",
["video/x-ms-wmv"]= "wmv",
["video/x-ms-wmx"]= "wmx",
["video/x-ms-wvx"]= "wvx",
["video/x-msvideo"]= "avi",
["video/x-sgi-movie"]= "movie",
["video/x-smv"]= "smv",
["x-conference/x-cooltalk"]= "ice",
["x-world/x-vrml"]= "wrl"
} &default="bin" &redef;
}

1
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/root/.selected_editor Normal file
View File

@@ -0,0 +1 @@
SELECTED_EDITOR="/usr/bin/vim.tiny"

1
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/root/.vimrc Normal file
View File

@@ -0,0 +1 @@
set nocompatible

123
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/guess.zeek Normal file
View File

@@ -0,0 +1,123 @@
module Best_Guess;
# given an input map file with the following format:
# proto dport sport name category
# (see https://docs.zeek.org/en/master/frameworks/input.html#reading-data-into-tables
# for details on how the table is loaded),
# load up the table on zeek_init and for each connection_state_remove
# make a "best guess" of protocols based on proto+dport+sport.
# Best guesses are written to bestguess according to Best_Guess::Info
# Table key is transport protocol + destination port + source port
# Zeek will segfault if there is an unset value ('-') in the key,
# so use unknown_transport and 0 for protocol and ports, respectively,
# if they are not defined in the lookup.
type Best_Guess_Key: record {
proto: transport_proto &optional;
dport: count &optional;
sport: count &optional;
};
# Other table values include name, category.
type Best_Guess_Value: record {
name: string &optional;
category: string &optional;
};
export {
redef enum Log::ID += { BEST_GUESS_LOG };
#############################################################################
# This is the format of bestguess.log
type Info: record {
# Timestamp for when the event happened.
ts: time &log;
# Unique ID for the connection.
uid: string &log;
# The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
# transport protocol
proto: transport_proto &log &optional;
# protocol guess values for log
name: string &log &optional;
category: string &log &optional;
# originating structure containing guess info
guess_info: Best_Guess_Value &optional;
};
# Event that can be handled to access the record as it is sent on to the logging framework.
global log_best_guess: event(rec: Best_Guess::Info);
}
# lookup table of Best_Guess_Key -> Best_Guess_Value to be loaded in zeek_init
global proto_guesses: table[transport_proto, count, count] of Best_Guess_Value = table();
# filespec containing best guess mappings
global guest_map_filespec : string = @DIR + "/guess_ics_map.txt";
#############################################################################
event zeek_init() &priority=5 {
# populate the lookup table from guest_map_filespec and then clean up the intermediate source
Input::add_table([$source=guest_map_filespec, $name="guess_ics_map",
$idx=Best_Guess_Key, $val=Best_Guess_Value,
$destination=proto_guesses, $want_record=T]);
Input::remove("guess_ics_map");
# initialize bestguess.log
Log::create_stream(Best_Guess::BEST_GUESS_LOG, [$columns=Best_Guess::Info, $ev=log_best_guess, $path="bestguess"]);
}
#############################################################################
event connection_state_remove(c: connection) {
local p = get_port_transport_proto(c$id$resp_p);
local dp = port_to_count(c$id$resp_p);
local sp = port_to_count(c$id$orig_p);
local guess = Best_Guess_Value($name="");
local category: string = "";
# 1. only check connections for which we don't already know "service"
# 2. skip ICMP, since dp and sp don't mean the same thing for ICMP
if (((!c?$service) || (|c$service| == 0)) && (p != icmp)) {
# Look up permutations of transport protocol + destination port + source port
# from more-specific to less-specific.
if ([p, dp, sp] in proto_guesses)
guess = proto_guesses[p, dp, sp];
else if ([p, dp, 0] in proto_guesses)
guess = proto_guesses[p, dp, 0];
else if ([p, 0, sp] in proto_guesses)
guess = proto_guesses[p, 0, sp];
else if ([unknown_transport, dp, sp] in proto_guesses)
guess = proto_guesses[unknown_transport, dp, sp];
else if ([unknown_transport, dp, 0] in proto_guesses)
guess = proto_guesses[unknown_transport, dp, 0];
else if ([unknown_transport, 0, sp] in proto_guesses)
guess = proto_guesses[unknown_transport, 0, sp];
# if a best guess was made based on protocol and ports, log it
if ((guess?$name) && (guess$name != "")) {
# as category may be undefined, check before accessing
if (guess?$category)
category = guess$category;
# log entry into bestguess.log
local info = Best_Guess::Info($ts=network_time(),
$uid=c$uid,
$id=c$id,
$proto=p,
$name=guess$name,
$category=category,
$guess_info=guess);
Log::write(Best_Guess::BEST_GUESS_LOG, info);
} # found guess
} # if (p != icmp)
} # connection_state_remove

360
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/guess_ics_map.txt Normal file
View File

@@ -0,0 +1,360 @@
#fields proto dport sport name category
unknown_transport 0 2221 Rockwell CSP Rockwell Automation
unknown_transport 0 2222 Rockwell CSP Rockwell Automation
unknown_transport 0 2223 Rockwell CSP Rockwell Automation
unknown_transport 0 5007 Mitsubishi Electronic MELSEC-Q SLAVE Mitsubishi Electric
unknown_transport 0 5413 Wonderware AVEVA
unknown_transport 0 5891 Intelligent Instrumentation EDAS Intelligent Instrumentation
unknown_transport 0 7022 CT Discovery Protocol CTDP -
unknown_transport 0 7200 Fiber Optics Data Multiplexing Services FLIP -
unknown_transport 0 7201 DLIP -
tcp 0 7700 Rockwell FactoryTalk Event Server Rockwell Automation
unknown_transport 0 7710 Rockwell FactoryTalk Directory Server Rockwell Automation
unknown_transport 0 7720 Rockwell RSViewSE Rockwell Automation
unknown_transport 0 7721 Rockwell RSViewSE Rockwell Automation
unknown_transport 0 7722 Rockwell RSViewSE HMI Activation Rockwell Automation
unknown_transport 0 9212 Server View DBMS Access -
unknown_transport 0 9213 ServerStart RemoteControl -
unknown_transport 0 23400 Novar Data Honeywell
unknown_transport 0 23401 Novar Alarm Honeywell
unknown_transport 0 23402 Novar Global Honeywell
unknown_transport 0 34963 PROFInet RT Multicast PROFIBUS and PROFINET
unknown_transport 0 34964 PROFInet Context Manager PROFIBUS and PROFINET
unknown_transport 0 44818 Rockwell Encapsulation Rockwell Automation
unknown_transport 210 0 ANSI Z39.50 -
tcp 400 0 Rockwell RSSql Transaction Manager Rockwell Automation
tcp 401 0 Rockwell RSSql Compression Server Rockwell Automation
tcp 402 0 Rockwell RSSql Configuration Server Rockwell Automation
unknown_transport 500 0 Fatek FB Series FATEK Automation
unknown_transport 554 0 RTP RTSP Streaming Protocol -
unknown_transport 789 0 Red Lion CrimsonV3 Red Lion
unknown_transport 1025 0 Mitsubishi Electronic FX Mitsubishi Electric
unknown_transport 1089 0 Rockwell Foundation Fieldbus Rockwell Automation
unknown_transport 1090 0 Rockwell Foundation Fieldbus Rockwell Automation
unknown_transport 1091 0 Rockwell Foundation Fieldbus Rockwell Automation
tcp 1132 0 Rockwell AADvance Rockwell Automation
unknown_transport 1153 0 ANSI C12.22 -
tcp 1200 0 CodeSys Gateway Server CODESYS
tcp 1330 0 Rockwell FactoryTalk Object RPC Rockwell Automation
tcp 1331 0 Rockwell FactoryTalk Service Control Rockwell Automation
tcp 1332 0 Rockwell FactoryTalk Server Health Rockwell Automation
tcp 1433 0 Rockwell FactoryTalk Asset Centre Server/VantagePoint SQL Rockwell Automation
tcp 1434 0 Rockwell FactoryTalk Asset Centre Server/VantagePoint MSSQL Rockwell Automation
unknown_transport 1541 0 Foxboro/Invensys Foxboro DCS Informix Schneider Electric
unknown_transport 1962 0 Phoenix Contact PC WORX Engineering Workstation PHOENIX CONTACT
unknown_transport 2004 0 LS FEnet LS Electric
udp 2010 0 Rockwell AADvance Discover Tool Rockwell Automation
udp 2011 0 Rockwell AADvance Discover Tool Rockwell Automation
unknown_transport 2085 0 ADA Control ADA-CIP -
unknown_transport 2198 0 OneHome Remote Access -
unknown_transport 2199 0 OneHome Service Port -
unknown_transport 2221 0 Rockwell CSP Rockwell Automation
unknown_transport 2222 0 Rockwell CSP Rockwell Automation
unknown_transport 2223 0 Rockwell CSP Rockwell Automation
tcp 2393 0 OLAP Microsoft
tcp 2394 0 OLAP Microsoft
unknown_transport 2404 0 IEC 60870-5-104 -
unknown_transport 2423 0 RNRP Redundant Network Routing ABB
tcp 2455 0 CodeSys Gateway Server CODESYS
unknown_transport 2540 0 LonWorks LonWorks
unknown_transport 2541 0 LonWorks LonWorks
unknown_transport 2729 0 TCIM Control -
unknown_transport 2757 0 CNRP Common Name Resolution Protocol -
unknown_transport 2846 0 AIMPP Hello -
unknown_transport 2847 0 AIMPP Port Req -
unknown_transport 3004 0 Hitachi EHV Series Hitachi
unknown_transport 3060 0 Rockwell FactoryTalk Directory Server File Transfer Rockwell Automation
unknown_transport 3240 0 Trio Motion Control Trio Motion Technology
unknown_transport 3250 0 HMS HICP Port HMC HMS Networks
unknown_transport 3338 0 OMF Data B ANET-B -
unknown_transport 3340 0 OMF Data M ANET-M -
unknown_transport 3341 0 OMF Data H ANET-H -
tcp 102 0 ICCP -
tcp 3480 0 OPC UA Discovery -
unknown_transport 3614 0 Schleicher Satchwell Sigma Schleicher Electronic
unknown_transport 3622 0 Rockwell FF LAN Redundancy Port Rockwell Automation
unknown_transport 3639 0 xAP Home Automation -
unknown_transport 3743 0 IP Control Systems Ltd ICS Command IP Control Systems Ltd
unknown_transport 3794 0 JAUS Robots -
unknown_transport 3820 0 Siemens AuD SCP Siemens AG
unknown_transport 3848 0 IT Environmental Monitor -
unknown_transport 3873 0 Fagor DNC Fagor Automation
unknown_transport 3875 0 PNBSCADA -
unknown_transport 3881 0 Intelligent Data Acquisition and Control IDAC -
unknown_transport 4000 0 Fisher ROC Plus Emerson Electric
tcp 4120 0 Rockwell Bizware Production Server Rockwell Automation
tcp 4121 0 Rockwell Bizware Server Manager Rockwell Automation
tcp 4122 0 Rockwell Bizware PlantMetrics Server Rockwell Automation
tcp 4123 0 Rockwell Bizware Task Manager Rockwell Automation
tcp 4124 0 Rockwell Bizware Scheduler Rockwell Automation
tcp 4125 0 Rockwell Bizware CTP Server Rockwell Automation
unknown_transport 4450 0 Common ASCII Message Protocol CAMP -
unknown_transport 4451 0 CTI System Message -
unknown_transport 4452 0 CTI Program Load -
unknown_transport 4999 0 Mitsubishi Electronic MELSEC-Q Mitsubishi Electric
udp 5000 0 Rockwell AADvance Peer to P2P Rockwell Automation
unknown_transport 5001 0 Mitsubishi Electronic FX3u Mitsubishi Electric
unknown_transport 5004 0 RTP Time Transport -
unknown_transport 5006 0 Mitsubishi Electronic MELSEC-Q MASTER Mitsubishi Electric
unknown_transport 5007 0 Mitsubishi Electronic MELSEC-Q MASTER Mitsubishi Electric
tcp 5050 0 OASyS SCADA AVEVA
unknown_transport 5050 0 Danfoss ECL Apex Danfoss
tcp 5051 0 OASyS SCADA AVEVA
tcp 5052 0 OASyS SCADA AVEVA
tcp 5065 0 OASyS SCADA AVEVA
unknown_transport 5069 0 I/NET 2000-NPR Control Systems International
unknown_transport 5413 0 Wonderware AVEVA
tcp 5450 0 Rockwell FactoryTalk PI Network Manager Rockwell Automation
tcp 5454 0 Rockwell FactoryTalk Analysis Framework Rockwell Automation
tcp 5455 0 Rockwell FactoryTalk Analysis Framework Rockwell Automation
tcp 5456 0 Rockwell FactoryTalk ACE2 Scheduler Rockwell Automation
tcp 5457 0 Rockwell FactoryTalk Asset Framework Server Rockwell Automation
tcp 5458 0 Rockwell FactoryTalk PI Notification Rockwell Automation
tcp 6543 0 Rockwell FactoryTalk Alarming Server Rockwell Automation
tcp 7002 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
tcp 7003 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
tcp 7004 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
unknown_transport 7022 0 CT Discovery Protocol -
unknown_transport 7201 0 DLIP -
tcp 7600 0 Rockwell FactoryTalk Event Multiplexor Rockwell Automation
tcp 7710 0 Rockwell FactoryTalk Directory Server Rockwell Automation
tcp 8081 0 Rockwell Bizware HTTP Server Manager Rockwell Automation
tcp 8083 0 Rockwell Bizware HTTP CTP Server Rockwell Automation
unknown_transport 8500 0 Panasonic FP2 Panasonic
unknown_transport 8501 0 Keyence KV-5000 Keyence
unknown_transport 9094 0 Panasonic FP Panasonic
unknown_transport 9600 0 Omron Factory Interface Network Service OMRON
tcp 10001 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10002 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10003 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10004 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10005 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10006 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10307 0 ABB Ranger ABB
tcp 10311 0 ABB Ranger ABB
tcp 10364 0 ABB Ranger ABB
tcp 10365 0 ABB Ranger ABB
tcp 10407 0 ABB Ranger ABB
tcp 10409 0 ABB Ranger ABB
tcp 10410 0 ABB Ranger ABB
tcp 10412 0 ABB Ranger ABB
tcp 10414 0 ABB Ranger ABB
tcp 10415 0 ABB Ranger ABB
tcp 10428 0 ABB Ranger ABB
tcp 10431 0 ABB Ranger ABB
tcp 10432 0 ABB Ranger ABB
tcp 10447 0 ABB Ranger ABB
tcp 10449 0 ABB Ranger ABB
tcp 10450 0 ABB Ranger ABB
unknown_transport 11001 0 Metasys N1 Johnson Controls
tcp 12135 0 OASyS SCADA AVEVA
tcp 12136 0 OASyS SCADA AVEVA
tcp 12137 0 OASyS SCADA AVEVA
tcp 12316 0 ABB Ranger ABB
tcp 12645 0 ABB Ranger ABB
tcp 12647 0 ABB Ranger ABB
tcp 12648 0 ABB Ranger ABB
tcp 13722 0 ABB Ranger ABB
tcp 13724 0 ABB Ranger ABB
tcp 13782 0 ABB Ranger ABB
tcp 13783 0 ABB Ranger ABB
tcp 18000 0 Genesis32 GenBroker ICONICS
unknown_transport 20256 0 Unitronics Socket 1 Unitronics
unknown_transport 20257 0 Unitronics Socket 2/3 Unitronics
unknown_transport 20547 0 ProconOS KW Software
tcp 27000 0 Rockwell FlexLM Server Rockwell Automation
tcp 27001 0 Rockwell FlexLM Server Rockwell Automation
tcp 27002 0 Rockwell FlexLM Server Rockwell Automation
tcp 27003 0 Rockwell FlexLM Server Rockwell Automation
tcp 27004 0 Rockwell FlexLM Server Rockwell Automation
tcp 27005 0 Rockwell FlexLM Server Rockwell Automation
tcp 27006 0 Rockwell FlexLM Server Rockwell Automation
tcp 27007 0 Rockwell FlexLM Server Rockwell Automation
tcp 27008 0 Rockwell FlexLM Server Rockwell Automation
tcp 27009 0 Rockwell FlexLM Server Rockwell Automation
unknown_transport 28784 0 Koyo Ethernet -
unknown_transport 34962 0 PROFInet RT Unicast PROFIBUS and PROFINET
tcp 38000 0 GENe SNC
tcp 38001 0 GENe SNC
tcp 38011 0 GENe SNC
tcp 38012 0 GENe SNC
tcp 38014 0 GENe SNC
tcp 38015 0 GENe SNC
tcp 38200 0 GENe SNC
tcp 38210 0 GENe SNC
tcp 38301 0 GENe SNC
tcp 38400 0 GENe SNC
tcp 38589 0 ABB Ranger ABB
tcp 38593 0 ABB Ranger ABB
tcp 38600 0 ABB Ranger ABB
tcp 38700 0 GENe SNC
tcp 38971 0 ABB Ranger ABB
tcp 39129 0 ABB Ranger ABB
tcp 39278 0 ABB Ranger ABB
unknown_transport 44818 0 Rockwell Encapsulation Rockwell Automation
unknown_transport 45678 0 Foxboro/Invensys Foxboro DCS AIMAPI Schneider Electric
tcp 49281 0 Rockwell FactoryTalk Live Data/SE HMI Tag Server Rockwell Automation
tcp 50001 0 Siemens Spectrum Power TG Siemens AG
tcp 50002 0 Siemens Spectrum Power TG Siemens AG
tcp 50003 0 Siemens Spectrum Power TG Siemens AG
tcp 50004 0 Siemens Spectrum Power TG Siemens AG
tcp 50005 0 Siemens Spectrum Power TG Siemens AG
tcp 50006 0 Siemens Spectrum Power TG Siemens AG
tcp 50007 0 Siemens Spectrum Power TG Siemens AG
tcp 50008 0 Siemens Spectrum Power TG Siemens AG
tcp 50009 0 Siemens Spectrum Power TG Siemens AG
tcp 50010 0 Siemens Spectrum Power TG Siemens AG
tcp 50011 0 Siemens Spectrum Power TG Siemens AG
tcp 50012 0 Siemens Spectrum Power TG Siemens AG
tcp 50013 0 Siemens Spectrum Power TG Siemens AG
tcp 50014 0 Siemens Spectrum Power TG Siemens AG
tcp 50015 0 Siemens Spectrum Power TG Siemens AG
tcp 50016 0 Siemens Spectrum Power TG Siemens AG
tcp 50018 0 Siemens Spectrum Power TG Siemens AG
tcp 50019 0 Siemens Spectrum Power TG Siemens AG
tcp 50020 0 Siemens Spectrum Power TG Siemens AG
tcp 50021 0 Siemens Spectrum Power TG Siemens AG
tcp 50025 0 Siemens Spectrum Power TG Siemens AG
tcp 50026 0 Siemens Spectrum Power TG Siemens AG
tcp 50027 0 Siemens Spectrum Power TG Siemens AG
tcp 50028 0 Siemens Spectrum Power TG Siemens AG
tcp 50110 0 Siemens Spectrum Power TG Siemens AG
tcp 50111 0 Siemens Spectrum Power TG Siemens AG
unknown_transport 55000 0 Mitsubishi Electronic FL-Net Cyclic Transmission Mitsubishi Electric
unknown_transport 55001 0 Mitsubishi Electronic FL-Net Message Transmission Mitsubishi Electric
unknown_transport 55002 0 Mitsubishi Electronic FL-Net Participation Request Frame Mitsubishi Electric
unknown_transport 55003 0 Mitsubishi Electronic FL-Net Sending Service Mitsubishi Electric
tcp 55555 0 Rockwell AADvance Telnet Rockwell Automation
unknown_transport 55555 0 Foxboro/Invensys Foxboro DCS FoxAPI Schneider Electric
tcp 56001 0 OASyS SCADA AVEVA
tcp 56001 0 OASyS SCADA AVEVA
tcp 56002 0 OASyS SCADA AVEVA
tcp 56003 0 OASyS SCADA AVEVA
tcp 56004 0 OASyS SCADA AVEVA
tcp 56005 0 OASyS SCADA AVEVA
tcp 56006 0 OASyS SCADA AVEVA
tcp 56007 0 OASyS SCADA AVEVA
tcp 56008 0 OASyS SCADA AVEVA
tcp 56009 0 OASyS SCADA AVEVA
tcp 56010 0 OASyS SCADA AVEVA
tcp 56011 0 OASyS SCADA AVEVA
tcp 56012 0 OASyS SCADA AVEVA
tcp 56013 0 OASyS SCADA AVEVA
tcp 56014 0 OASyS SCADA AVEVA
tcp 56015 0 OASyS SCADA AVEVA
tcp 56016 0 OASyS SCADA AVEVA
tcp 56017 0 OASyS SCADA AVEVA
tcp 56018 0 OASyS SCADA AVEVA
tcp 56019 0 OASyS SCADA AVEVA
tcp 56020 0 OASyS SCADA AVEVA
tcp 56021 0 OASyS SCADA AVEVA
tcp 56022 0 OASyS SCADA AVEVA
tcp 56023 0 OASyS SCADA AVEVA
tcp 56024 0 OASyS SCADA AVEVA
tcp 56025 0 OASyS SCADA AVEVA
tcp 56026 0 OASyS SCADA AVEVA
tcp 56027 0 OASyS SCADA AVEVA
tcp 56028 0 OASyS SCADA AVEVA
tcp 56029 0 OASyS SCADA AVEVA
tcp 56030 0 OASyS SCADA AVEVA
tcp 56031 0 OASyS SCADA AVEVA
tcp 56032 0 OASyS SCADA AVEVA
tcp 56033 0 OASyS SCADA AVEVA
tcp 56034 0 OASyS SCADA AVEVA
tcp 56035 0 OASyS SCADA AVEVA
tcp 56036 0 OASyS SCADA AVEVA
tcp 56037 0 OASyS SCADA AVEVA
tcp 56038 0 OASyS SCADA AVEVA
tcp 56039 0 OASyS SCADA AVEVA
tcp 56040 0 OASyS SCADA AVEVA
tcp 56041 0 OASyS SCADA AVEVA
tcp 56042 0 OASyS SCADA AVEVA
tcp 56043 0 OASyS SCADA AVEVA
tcp 56044 0 OASyS SCADA AVEVA
tcp 56045 0 OASyS SCADA AVEVA
tcp 56046 0 OASyS SCADA AVEVA
tcp 56047 0 OASyS SCADA AVEVA
tcp 56048 0 OASyS SCADA AVEVA
tcp 56049 0 OASyS SCADA AVEVA
tcp 56050 0 OASyS SCADA AVEVA
tcp 56051 0 OASyS SCADA AVEVA
tcp 56052 0 OASyS SCADA AVEVA
tcp 56053 0 OASyS SCADA AVEVA
tcp 56054 0 OASyS SCADA AVEVA
tcp 56055 0 OASyS SCADA AVEVA
tcp 56056 0 OASyS SCADA AVEVA
tcp 56057 0 OASyS SCADA AVEVA
tcp 56058 0 OASyS SCADA AVEVA
tcp 56059 0 OASyS SCADA AVEVA
tcp 56060 0 OASyS SCADA AVEVA
tcp 56061 0 OASyS SCADA AVEVA
tcp 56062 0 OASyS SCADA AVEVA
tcp 56063 0 OASyS SCADA AVEVA
tcp 56064 0 OASyS SCADA AVEVA
tcp 56065 0 OASyS SCADA AVEVA
tcp 56066 0 OASyS SCADA AVEVA
tcp 56067 0 OASyS SCADA AVEVA
tcp 56068 0 OASyS SCADA AVEVA
tcp 56069 0 OASyS SCADA AVEVA
tcp 56070 0 OASyS SCADA AVEVA
tcp 56071 0 OASyS SCADA AVEVA
tcp 56072 0 OASyS SCADA AVEVA
tcp 56073 0 OASyS SCADA AVEVA
tcp 56074 0 OASyS SCADA AVEVA
tcp 56075 0 OASyS SCADA AVEVA
tcp 56076 0 OASyS SCADA AVEVA
tcp 56077 0 OASyS SCADA AVEVA
tcp 56078 0 OASyS SCADA AVEVA
tcp 56079 0 OASyS SCADA AVEVA
tcp 56080 0 OASyS SCADA AVEVA
tcp 56081 0 OASyS SCADA AVEVA
tcp 56082 0 OASyS SCADA AVEVA
tcp 56083 0 OASyS SCADA AVEVA
tcp 56084 0 OASyS SCADA AVEVA
tcp 56085 0 OASyS SCADA AVEVA
tcp 56086 0 OASyS SCADA AVEVA
tcp 56087 0 OASyS SCADA AVEVA
tcp 56088 0 OASyS SCADA AVEVA
tcp 56089 0 OASyS SCADA AVEVA
tcp 56090 0 OASyS SCADA AVEVA
tcp 56091 0 OASyS SCADA AVEVA
tcp 56092 0 OASyS SCADA AVEVA
tcp 56093 0 OASyS SCADA AVEVA
tcp 56094 0 OASyS SCADA AVEVA
tcp 56095 0 OASyS SCADA AVEVA
tcp 56096 0 OASyS SCADA AVEVA
tcp 56097 0 OASyS SCADA AVEVA
tcp 56098 0 OASyS SCADA AVEVA
tcp 56099 0 OASyS SCADA AVEVA
tcp 60093 0 Rockwell FactoryTalk Diagnostics Rockwell Automation
tcp 62900 0 GENe SNC
tcp 62911 0 GENe SNC
tcp 62924 0 GENe SNC
tcp 62930 0 GENe SNC
tcp 62938 0 GENe SNC
tcp 62956 0 GENe SNC
tcp 62957 0 GENe SNC
tcp 62963 0 GENe SNC
tcp 62981 0 GENe SNC
tcp 62982 0 GENe SNC
tcp 62985 0 GENe SNC
tcp 62992 0 GENe SNC
tcp 63012 0 GENe SNC
tcp 63027 0 GENe SNC
tcp 63028 0 GENe SNC
tcp 63029 0 GENe SNC
tcp 63030 0 GENe SNC
tcp 63031 0 GENe SNC
tcp 63032 0 GENe SNC
tcp 63033 0 GENe SNC
tcp 63034 0 GENe SNC
tcp 63035 0 GENe SNC
tcp 63036 0 GENe SNC
tcp 63041 0 GENe SNC
tcp 63075 0 GENe SNC
tcp 63079 0 GENe SNC
tcp 63082 0 GENe SNC
tcp 63088 0 GENe SNC
tcp 63094 0 GENe SNC
tcp 65207 0 Rockwell FactoryTalk VantagePoint Incuity Server Advertiser Rockwell Automation
tcp 65443 0 GENe SNC

117
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek Normal file
View File

@@ -0,0 +1,117 @@
##! Zeek local site policy. Customize as appropriate.
##!
##! See https://github.com/zeek/zeekctl
##! https://docs.zeek.org/en/stable/script-reference/scripts.html
##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek
global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == "") ? F : T;
global disable_log_passwords = (getenv("ZEEK_DISABLE_LOG_PASSWORDS") == "") ? F : T;
global disable_ssl_validate_certs = (getenv("ZEEK_DISABLE_SSL_VALIDATE_CERTS") == "") ? F : T;
global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == "") ? F : T;
global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T;
global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
global disable_spicy_http = (getenv("ZEEK_DISABLE_SPICY_HTTP") == "") ? F : T;
global disable_spicy_ldap = (getenv("ZEEK_DISABLE_SPICY_LDAP") == "") ? F : T;
global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == "") ? F : T;
global disable_spicy_openvpn = (getenv("ZEEK_DISABLE_SPICY_OPENVPN") == "") ? F : T;
global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
global disable_spicy_wireguard = (getenv("ZEEK_DISABLE_SPICY_WIREGUARD") == "") ? F : T;
redef Broker::default_listen_address = "127.0.0.1";
redef ignore_checksums = T;
@load tuning/defaults
@load misc/scan
@load frameworks/software/vulnerable
@load frameworks/software/version-changes
@load frameworks/software/windows-version-detection
@load-sigs frameworks/signatures/detect-windows-shells
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/dhcp/software
@load protocols/dns/detect-external-names
@load protocols/ftp/detect
@load protocols/ftp/detect-bruteforcing.zeek
@load protocols/ftp/software
@load protocols/http/detect-sqli
@load protocols/http/detect-webapps
@load protocols/http/software
@load protocols/http/software-browser-plugins
@load protocols/mysql/software
@load protocols/ssl/weak-keys
@load protocols/smb/log-cmds
@load protocols/smtp/software
@load protocols/ssh/detect-bruteforcing
@load protocols/ssh/geo-data
@load protocols/ssh/interesting-hostnames
@load protocols/ssh/software
@load protocols/ssl/known-certs
@load protocols/ssl/log-hostcerts-only
@if (!disable_ssl_validate_certs)
@load protocols/ssl/validate-certs
@endif
@if (!disable_track_all_assets)
@load tuning/track-all-assets.zeek
@endif
@if (!disable_hash_all_files)
@load frameworks/files/hash-all-files
@endif
@load policy/protocols/conn/vlan-logging
@load policy/protocols/conn/mac-logging
@load policy/protocols/modbus/known-masters-slaves
@load policy/protocols/mqtt
@load ./login.zeek
@if (!disable_best_guess_ics)
@load ./guess.zeek
@endif
@load packages
event zeek_init() &priority=-5 {
if (disable_spicy_dhcp) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);
}
if (disable_spicy_dns) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DNS);
}
if (disable_spicy_http) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HTTP);
}
if (disable_spicy_ipsec) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_TCP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_UDP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
}
if (disable_spicy_ldap) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP);
}
if (disable_spicy_openvpn) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_MD5);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA1);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA256);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA512);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_MD5);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA1);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA256);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA512);
}
if (disable_spicy_tftp) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_TFTP);
}
if (disable_spicy_wireguard) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD);
}
}
@if (!disable_log_passwords)
redef HTTP::default_capture_password = T;
redef FTP::default_capture_password = T;
redef SOCKS::default_capture_password = T;
redef SNIFFPASS::log_password_plaintext = T;
@endif
redef SNIFFPASS::notice_log_enable = F;

253
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/login.zeek Normal file
View File

@@ -0,0 +1,253 @@
module Login;
# log telnet, rlogin, and rsh events to login.log
export {
redef enum Log::ID += {
## The logging stream identifier
Log_LOGIN
};
type Info : record {
## Time the event occurred
ts : time &log;
## Unique ID for the connection
uid : string &log;
## The connection's 4-tuple of endpoint addresses/port
id : conn_id &log;
## proto (telnet, rlogin, or rsh)
proto : string &log &optional;
## login_success event was seen (successful login)
success : bool &log &default = F;
## login_confused event was seen (successful login)
confused : bool &log &default = F;
## username given for login attempt
user : string &log &optional;
## client_user given for login attempt (empty for telnet, set for rlogin)
client_user : string &log &optional;
## password given for login attempt
password : string &log &optional;
## whether or not a line has been written to login.log
logged : bool &default = F;
};
## Event that can be handled to access the :zeek:type:`Login::Info`
## record as it is sent on to the logging framework.
global log_login : event(rec : Info);
}
# Add the state tracking information variable to the connection record
redef record connection += {
login : Info &optional;
};
###############################################
# constants borrowed from the old Bro 1.5 login.bro required to make some of the telnet/rlogin/rsh events work correctly
# see https://github.com/zeek/zeek/blob/release/1.5/policy/login.bro#L178
# https://github.com/reservoirlabs/brorefguide/blob/master/analysis.texi#L3850
redef skip_authentication = { "WELCOME TO THE BERKELEY PUBLIC LIBRARY", };
redef direct_login_prompts = { "TERMINAL?", };
redef login_prompts = {
"Login:",
"login:",
"Name:",
"Username:",
"User:",
"Member Name",
"User Access Verification",
"Cisco Systems Console",
direct_login_prompts
};
redef login_non_failure_msgs = {
"Failures",
"failures", # probably is "<n> failures since last login"
"failure since last successful login",
"failures since last successful login",
};
redef login_non_failure_msgs = {
"Failures",
"failures", # probably is "<n> failures since last login"
"failure since last successful login",
"failures since last successful login",
} &redef;
redef login_failure_msgs = {
"invalid",
"Invalid",
"incorrect",
"Incorrect",
"failure",
"Failure",
# "Unable to authenticate",
# "unable to authenticate",
"User authorization failure",
"Login failed",
"INVALID",
"Sorry.",
"Sorry,",
};
const router_prompts: set[string] &redef;
redef login_success_msgs = {
"Last login",
"Last successful login",
"Last successful login",
"checking for disk quotas",
"unsuccessful login attempts",
"failure since last successful login",
"failures since last successful login",
router_prompts,
};
redef login_timeouts = {
"timeout",
"timed out",
"Timeout",
"Timed out",
"Error reading command input", # VMS
};
# end borrowed constants from Bro 1.5 login.bro
###############################################
# telnet, rlogin, rsh
const telnet_port = 23/tcp;
const telnet_ports = { telnet_port };
const rlogin_port = 513/tcp;
const rlogin_ports = { rlogin_port };
const rsh_port = 514/tcp;
const rsh_ports = { rsh_port };
redef likely_server_ports += { telnet_ports, rlogin_ports, rsh_ports };
# set_login_session - if has not yet been registered in the connection, instantiate
# the Info record and assign in c$login
function set_login_session(c : connection) {
if ( ! c?$login ) {
local s : Info = [$ts = network_time(), $uid = c$uid, $id = c$id];
switch c$id$resp_p {
case telnet_port:
s$proto = "telnet";
add c$service["telnet"];
break;
case rlogin_port:
s$proto = "rlogin";
add c$service["rlogin"];
break;
case rsh_port:
s$proto = "rsh";
add c$service["rsh"];
break;
}
c$login = s;
}
}
# login_message - log to login.log
function login_message(s : Info) {
# strip some values that can happen in a "confused" state that aren't really valid values
if (( s?$user ) && (( s$user == "" ) || ( s$user == "<none>" ) || ( s$user == "<timeout>" )))
delete s$user;
if (( s?$client_user ) && (( s$client_user == "" ) || ( s$client_user == "<none>" ) || ( s$client_user == "<timeout>" )))
delete s$client_user;
if (( s?$password ) && (( s$password == "" ) || ( s$password == "<none>" ) || ( s$password == "<timeout>" )))
delete s$password;
if (( s?$proto ) && ( s$proto == "" ))
delete s$proto;
s$ts = network_time();
Log::write(Login::Log_LOGIN, s);
s$logged = T;
}
# create log stream for login.log and register telnet, rlogin, and rsh analyzers
event zeek_init() &priority = 5 {
Log::create_stream(Login::Log_LOGIN, [$columns = Info, $ev = log_login, $path = "login"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_TELNET, telnet_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_RLOGIN, rlogin_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_RSH, rsh_ports);
}
# login_confused - Generated when tracking of Telnet/Rlogin authentication failed
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_confused
event login_confused(c : connection, msg : string, line : string) &priority = 5 {
# print "login_confused", msg, line;
set_login_session(c);
c$login$confused = T;
}
# login_failure - Generated when tracking of Telnet/Rlogin authentication failed
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_failure
event login_failure(c : connection, user : string, client_user : string, password : string, line : string) &priority = 5 {
# print "login_failure", user, client_user, password, line;
set_login_session(c);
if ((!c$login?$user) || (c$login$user == ""))
c$login$user = user;
if ((!c$login?$client_user) || (c$login$client_user == ""))
c$login$client_user = client_user;
if ((!c$login?$password) || (c$login$password == ""))
c$login$password = password;
login_message(c$login);
}
# login_success - Generated for successful Telnet/Rlogin logins
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_success
event login_success(c : connection, user : string, client_user : string, password : string, line : string) &priority = 5 {
# print "login_success", user, client_user, password, line;
set_login_session(c);
c$login$success = T;
c$login$user = user;
c$login$client_user = client_user;
# it appears for a successful login with rsh where client_user was checked, what we're getting in
# the "password" field is actually not the password, but the first line of data
if ((c$login$proto != "rsh") || (c$login$client_user == ""))
c$login$password = password;
login_message(c$login);
}
event connection_state_remove(c : connection) &priority = -5 {
if (c?$login) {
if ( c$login$logged == F) {
login_message(c$login);
}
delete c$login;
}
}
# for testing:
# for file in /host/telnet/*; do cd /tmp; mkdir -p /host/logs/"$(basename "$file")"; /bin/rm -f /host/logs/"$(basename "$file")"/*; cd /host/logs/"$(basename "$file")"; zeek -r "$file" local > debug_output.txt; cd /tmp; done
# event activating_encryption(c: connection) { print "activating_encryption"; }
# event authentication_accepted(name: string, c: connection) { print "authentication_accepted", name; }
# event authentication_rejected(name: string, c: connection) { print "authentication_rejected", name; }
# event authentication_skipped(c: connection) { print "authentication_skipped"; }
# event bad_option(c: connection) { print "bad_option"; }
# event bad_option_termination(c: connection) { print "bad_option_termination"; }
# event inconsistent_option(c: connection) { print "inconsistent_option"; }
# event login_confused_text(c: connection, line: string) { print "login_confused_text", line; }
# event login_display(c: connection, display: string) { print "login_display", display; }
# event login_input_line(c: connection, line: string) { print "login_input_line", line; }
# event login_output_line(c: connection, line: string) { print "login_output_line", line; }
# event login_terminal(c: connection, terminal: string) { print "login_terminal", terminal; }
# event rsh_reply(c: connection, client_user: string, server_user: string, line: string) { print "rsh_reply", client_user, server_user, line; }
# event rsh_request(c: connection, client_user: string, server_user: string, line: string; new_session: bool) { print "rsh_request", client_user, server_user, line, new_session; }

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/configure-capture.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Configure Capture and Forwarding
Exec=/usr/bin/terminator --maximise -T "Configure Capture and Forwarding" -x /usr/local/bin/configure-capture.py
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=network-receive.png
Categories=Network;
StartupNotify=true

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/configure-interfaces.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Configure Interfaces and Hostname
Exec=/usr/bin/terminator --maximise -T "Configure Interfaces and Hostname" -x su -l -c /usr/local/bin/configure-interfaces.py
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=network-wired.png
Categories=Network;
StartupNotify=true

11
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/hedgehog-kiosk.desktop Normal file
View File

@@ -0,0 +1,11 @@
[Desktop Entry]
Version=1.0
Name=Sensor Kiosk
Exec=/opt/firefox/firefox --setDefaultBrowser --no-remote --private --kiosk http://127.0.0.1:5000
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=/usr/share/images/hedgehog/hedgehog-color-small.png
Categories=Network;
StartupWMClass=Firefox
StartupNotify=true

11
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/hedgehog-readme.desktop Normal file
View File

@@ -0,0 +1,11 @@
[Desktop Entry]
Version=1.0
Name=Sensor README
Exec=/opt/firefox/firefox --setDefaultBrowser file:////usr/share/doc/hedgehog/HedgehogLinux.html
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=help-browser
Categories=Network;
StartupWMClass=Firefox
StartupNotify=true

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/sensor-services-full-restart.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Restart Sensor Services
Exec=/usr/bin/terminator -T "Restart Sensor Services" -x bash -c "echo 'Stopping services...' && ( /opt/sensor/sensor_ctl/shutdown >/dev/null 2>&1 || true ) && echo 'Please wait...' && sleep 30 && echo 'Starting services...' && /opt/sensor/sensor_ctl/supervisor.sh"
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=reload.png
Categories=Network;
StartupNotify=true

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/sensor-services-status.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Sensor Service Status
Exec=/usr/bin/terminator -T "Sensor Service Status" -x bash -c "/opt/sensor/sensor_ctl/status && echo '' && read -p 'Press Enter to Continue'"
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=view-restore.png
Categories=Network;
StartupNotify=true

142
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json Normal file
View File

@@ -0,0 +1,142 @@
{
"version": "7.6.2",
"objects": [
{
"id": "072befc0-ffba-11e8-a854-ad7782ef6a55",
"type": "dashboard",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE2MDIsMV0=",
"attributes": {
"description": "Summary of Linux kernel audit events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"version\":true,\"highlightAll\":true}"
},
"optionsJSON": "{\"darkTheme\":true,\"useMargins\":false}",
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":28,\"h\":26,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":26,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelIndex\":\"4\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":38,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelIndex\":\"5\",\"embeddableConfig\":{\"columns\":[\"beat.hostname\",\"auditd.summary.actor.primary\",\"auditd.summary.actor.secondary\",\"auditd.summary.object.type\",\"event.action\",\"auditd.summary.object.primary\",\"auditd.summary.object.secondary\",\"auditd.summary.how\",\"auditd.result\"]},\"panelRefName\":\"panel_2\"}]",
"timeRestore": false,
"title": "[Auditbeat auditd] Overview dashboard",
"version": 1
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "97680df0-c1c0-11e7-8995-936807a28b16"
},
{
"name": "panel_1",
"type": "visualization",
"id": "08679220-c25a-11e7-8692-232bd1143e8a"
},
{
"name": "panel_2",
"type": "search",
"id": "0f10c430-c1c3-11e7-8995-936807a28b16"
}
],
"migrationVersion": {
"dashboard": "7.3.0"
}
},
{
"id": "97680df0-c1c0-11e7-8995-936807a28b16",
"type": "visualization",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE1OTksMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"title": "Event Actions [Auditbeat Auditd Overview]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"type\":\"metrics\",\"params\":{\"bar_color_rules\":[{\"id\":\"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_color_rules\":[{\"id\":\"5d20a650-c1bd-11e7-938f-ab0645b6c431\"}],\"background_color_rules\":[{\"id\":\"58c95a20-c1bd-11e7-938f-ab0645b6c431\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"auditbeat-*\",\"gauge_inner_width\":10,\"series\":[{\"line_width\":1,\"terms_field\":\"event.action\",\"point_size\":1,\"color\":\"#68BC00\",\"label\":\"Actions\",\"metrics\":[{\"type\":\"count\",\"id\":\"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\"}],\"seperate_axis\":0,\"split_mode\":\"terms\",\"chart_type\":\"line\",\"stacked\":\"none\",\"axis_position\":\"right\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"fill\":0.5}],\"axis_formatter\":\"number\",\"interval\":\"auto\",\"filter\":{\"query\":\"event.module:auditd\",\"language\":\"lucene\"},\"legend_position\":\"left\",\"show_legend\":1,\"show_grid\":1,\"gauge_style\":\"half\",\"axis_position\":\"left\",\"gauge_width\":10,\"type\":\"timeseries\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\"},\"aggs\":[],\"title\":\"Event Actions [Auditbeat Auditd Overview]\"}"
},
"references": [],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "08679220-c25a-11e7-8692-232bd1143e8a",
"type": "visualization",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE2MDAsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"title": "Event Categories [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"type\":\"pie\",\"params\":{\"legendPosition\":\"right\",\"type\":\"pie\",\"isDonut\":true,\"addTooltip\":true,\"addLegend\":true},\"aggs\":[{\"params\":{},\"type\":\"count\",\"enabled\":true,\"id\":\"1\",\"schema\":\"metric\"},{\"params\":{\"orderBy\":\"1\",\"field\":\"event.category\",\"customLabel\":\"Category\",\"order\":\"desc\",\"size\":5},\"type\":\"terms\",\"enabled\":true,\"id\":\"2\",\"schema\":\"segment\"},{\"params\":{\"orderBy\":\"1\",\"field\":\"event.action\",\"customLabel\":\"Action\",\"order\":\"desc\",\"size\":20},\"type\":\"terms\",\"enabled\":true,\"id\":\"3\",\"schema\":\"segment\"}],\"title\":\"Event Categories [Auditbeat Auditd]\"}",
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "auditbeat-*"
},
{
"type": "search",
"name": "search_0",
"id": "0f10c430-c1c3-11e7-8995-936807a28b16"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "0f10c430-c1c3-11e7-8995-936807a28b16",
"type": "search",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE2MDEsMV0=",
"attributes": {
"columns": [
"beat.hostname",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"event.action",
"auditd.summary.object.type",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.summary.how",
"auditd.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}},\"meta\":{\"value\":\"auditd\",\"disabled\":false,\"alias\":null,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"key\":\"event.module\",\"negate\":false,\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"}}],\"version\":true,\"highlightAll\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"sort": [
[
"@timestamp",
"desc"
]
],
"title": "Audit Event Table [Auditbeat Auditd]",
"version": 1
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "auditbeat-*"
},
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern",
"id": "auditbeat-*"
}
],
"migrationVersion": {
"search": "7.4.0"
}
}
]
}

167
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json Normal file
View File

@@ -0,0 +1,167 @@
{
"version": "7.6.2",
"objects": [
{
"id": "1ca59220-ffb0-11e8-a854-ad7782ef6a55",
"type": "dashboard",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzcsMV0=",
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":false}",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":41,\"i\":\"1\"},\"panelIndex\":\"1\",\"title\":\"Syslog Events\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":27,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":17,\"y\":0,\"w\":13,\"h\":27,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":17,\"h\":27,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"timeRestore": false,
"title": "[Filebeat] Syslog dashboard",
"version": 1
},
"references": [
{
"name": "panel_0",
"type": "search",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
},
{
"name": "panel_1",
"type": "visualization",
"id": "462e04d0-ffb3-11e8-a854-ad7782ef6a55"
},
{
"name": "panel_2",
"type": "visualization",
"id": "cc3f9cf0-ffb3-11e8-a854-ad7782ef6a55"
},
{
"name": "panel_3",
"type": "visualization",
"id": "96e77ef0-ffb4-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"dashboard": "7.3.0"
}
},
{
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55",
"type": "search",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzMsMV0=",
"attributes": {
"columns": [
"host.name",
"syslog.severity_label",
"syslog.facility_label",
"process.program",
"message"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"_exists_:syslog\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"sort": [
[
"@timestamp",
"desc"
]
],
"title": "[Filebeat] Syslog search",
"version": 1
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "filebeat-*"
}
],
"migrationVersion": {
"search": "7.4.0"
}
},
{
"id": "462e04d0-ffb3-11e8-a854-ad7782ef6a55",
"type": "visualization",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzQsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "[Filebeat] Syslog by Host Timeline",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"[Filebeat] Syslog by Host Timeline\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Host\"}}]}",
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "cc3f9cf0-ffb3-11e8-a854-ad7782ef6a55",
"type": "visualization",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzUsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "[Filebeat] Syslog Process Cloud",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"[Filebeat] Syslog Process Cloud\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"process.program\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process\"}}]}",
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "96e77ef0-ffb4-11e8-a854-ad7782ef6a55",
"type": "visualization",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzYsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "[Filebeat] Syslog Facility by Host Pie Chart",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"[Filebeat] Syslog Facility by Host Pie Chart\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":false,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.facility_label\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Syslog Facility\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Host\"}}]}",
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
}
]
}

112
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/protologbeat/kibana/7/dashboard/Protologbeat-temperatures-dashboard.json Normal file
View File

@@ -0,0 +1,112 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Temperature Timeline",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Temperature Timeline\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Max cpu_temp_avg\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Maximum CPU °C\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\"},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\",\"data\":{\"id\":\"3\",\"label\":\"Maximum Other °C\"},\"valueAxis\":\"ValueAxis-1\"},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\",\"data\":{\"id\":\"4\",\"label\":\"Maximum GPU °C\"},\"valueAxis\":\"ValueAxis-1\"},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\",\"data\":{\"id\":\"8\",\"label\":\"Maximum Storage °C\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu_temp_avg\",\"customLabel\":\"Maximum CPU °C\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"time_zone\":\"America/Denver\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"other_temp_avg\",\"customLabel\":\"Maximum Other °C\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"gpu_temp_avg\",\"customLabel\":\"Maximum GPU °C\"}},{\"id\":\"8\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"hdd_temp_avg\",\"customLabel\":\"Maximum Storage °C\"}}]}"
},
"id": "752a7e30-03af-11e9-bf7f-6138c205dfb3",
"type": "visualization",
"updated_at": "2018-12-20T18:16:43.966Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Host Chooser",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Host Chooser\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1545248066352\",\"indexPattern\":\"protologbeat-*\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Host\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"}}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}"
},
"id": "293d13a0-03c5-11e9-b42b-a7822d24ca20",
"type": "visualization",
"updated_at": "2018-12-19T19:34:54.681Z",
"version": 1
},
{
"attributes": {
"columns": [
"host.name",
"cpu_temp_avg",
"hdd_temp_avg",
"other_temp_avg"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Protologbeat search",
"version": 1
},
"id": "65345580-03c5-11e9-b42b-a7822d24ca20",
"type": "search",
"updated_at": "2018-12-20T18:16:42.939Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "CPU and Storage Temperature Gauge",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 60\":\"rgb(0,104,55)\",\"60 - 70\":\"rgb(255,255,190)\",\"70 - 90\":\"rgb(165,0,38)\"}}}",
"version": 1,
"visState": "{\"title\":\"CPU and Storage Temperature Gauge\",\"type\":\"gauge\",\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"verticalSplit\":false,\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":60},{\"from\":60,\"to\":70},{\"from\":70,\"to\":90}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"\",\"fontSize\":60,\"labelColor\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu_temp_avg\",\"customLabel\":\"Maximum CPU °C\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"hdd_temp_avg\",\"customLabel\":\"Maximum Storage °C\"}}]}"
},
"id": "db628ba0-03c5-11e9-b42b-a7822d24ca20",
"type": "visualization",
"updated_at": "2018-12-20T18:16:43.991Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Maximum Sensor CPU and Storage Temperatures",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Maximum Sensor CPU and Storage Temperatures\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Maximum CPU °C\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Maximum CPU °C\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"data\":{\"id\":\"3\",\"label\":\"Maximum Storage °C\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"orderBucketsBySum\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu_temp_avg\",\"customLabel\":\"Maximum CPU °C\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sensor Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"hdd_temp_avg\",\"customLabel\":\"Maximum Storage °C\"}}]}"
},
"id": "923c3ce0-03c6-11e9-b42b-a7822d24ca20",
"type": "visualization",
"updated_at": "2018-12-20T18:16:43.961Z",
"version": 1
},
{
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":false}",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":31,\"w\":48,\"h\":35,\"i\":\"1\"},\"id\":\"752a7e30-03af-11e9-bf7f-6138c205dfb3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":20,\"h\":11,\"i\":\"2\"},\"id\":\"293d13a0-03c5-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"2\",\"title\":\"Sensor Filter\",\"type\":\"visualization\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":66,\"w\":48,\"h\":29,\"i\":\"3\"},\"id\":\"65345580-03c5-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"3\",\"title\":\"Sensor Metrics\",\"type\":\"search\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":11,\"w\":20,\"h\":20,\"i\":\"4\"},\"id\":\"db628ba0-03c5-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":20,\"y\":0,\"w\":28,\"h\":31,\"i\":\"5\"},\"id\":\"923c3ce0-03c6-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.5.3\"}]",
"timeRestore": false,
"title": "Sensor Temperature dashboard",
"version": 1
},
"id": "3c519150-03c5-11e9-b42b-a7822d24ca20",
"type": "dashboard",
"updated_at": "2018-12-20T18:16:43.882Z",
"version": 1
}
],
"version": "6.5.3"
}

16
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/protologbeat/kibana/7/index-pattern/protologbeat.json Normal file
View File

File diff suppressed because one or more lines are too long