Merge pull request #431 from clong/update_readme_esxi

Update README.md and ESXi logger code

ESXi/ansible/inventory.yml

@@ -2,7 +2,7 @@
 
 logger:
   hosts:
-    192.168.3.158:
+    192.168.3.205:
       ansible_user: vagrant
       ansible_password: vagrant
       ansible_port: 22
@@ -11,13 +11,13 @@ logger:
 
 dc:
   hosts:
-    192.168.3.189:
+    192.168.3.202:
 
 wef:
   hosts:
-    192.168.3.194:
+    192.168.3.203:
 
 win10:
   hosts:
-    192.168.3.193:
+    192.168.3.204:
 

ESXi/ansible/roles/logger/tasks/main.yml

@@ -160,6 +160,14 @@
     executable: /bin/bash
   become: yes
   shell: |
+    # Get a free Maxmind license here: https://www.maxmind.com/en/geolite2/signup
+    # Required for the ASNgen app to work: https://splunkbase.splunk.com/app/3531/
+    export MAXMIND_LICENSE=
+    if [ -z $MAXMIND_LICENSE ]; then
+      echo "Note: You have not entered a MaxMind license key on line 5 of bootstrap.sh, so the ASNgen Splunk app may not work correctly."
+      echo "However, it is not required and everything else should function correctly."
+    fi
+
     # Check if Splunk is already installed
     if [ -f "/opt/splunk/bin/splunk" ]; then
       echo "[$(date +%H:%M:%S)]: Splunk is already installed"
@@ -183,7 +191,14 @@
         # Download Hardcoded Splunk
         wget --progress=bar:force -O /opt/splunk-8.0.2-a7f645ddaf91-linux-2.6-amd64.deb 'https://download.splunk.com/products/splunk/releases/8.0.2/linux/splunk-8.0.2-a7f645ddaf91-linux-2.6-amd64.deb&wget=true'
       fi
-      dpkg -i /opt/splunk*.deb
+      if ! ls /opt/splunk*.deb 1> /dev/null 2>&1; then
+        echo "Something went wrong while trying to download Splunk. This script cannot continue. Exiting."
+        exit 1
+      fi
+      if ! dpkg -i /opt/splunk*.deb > /dev/null; then
+        echo "Something went wrong while trying to install Splunk. This script cannot continue. Exiting."
+        exit 1
+      fi
       /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
       /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
       /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
@@ -193,9 +208,9 @@
       /opt/splunk/bin/splunk add index zeek -auth 'admin:changeme'
       /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
       /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
-      /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
+      /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme'
-      /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
+      /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme'
-      /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme'
+      /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_110.tgz -auth 'admin:changeme'
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
@@ -204,6 +219,13 @@
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
       /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme'
 
+      # Install the Maxmind license key for the ASNgen App
+      if [ ! -z $MAXMIND_LICENSE ]; then
+        mkdir /opt/splunk/etc/apps/TA-asngen/local 
+        cp /opt/splunk/etc/apps/TA-asngen/default/asngen.conf /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
+        sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
+      fi
+
       # Add custom Macro definitions for ThreatHunting App
       cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
       # Fix Windows TA macros
@@ -385,7 +407,7 @@
     echo "[$(date +%H:%M:%S)]: Installing Zeek..."
     sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
     wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key
-    apt-key add - </tmp/Release.key
+    apt-key add - </tmp/Release.key &>/dev/null
 
 - name: Install Zeek Packages
   become: yes
@@ -483,7 +505,7 @@
     cd /opt
     apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
     wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
-    tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
+    tar -xf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
     ./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole."
     ldconfig
     cd /var/lib/tomcat8/webapps
@@ -510,6 +532,6 @@
     # Include Splunk and Zeek in the PATH
     echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc
     # Ping DetectionLab server for usage statistics
-    curl -A "DetectionLab-logger" "https://detectionlab.network/logger"
+    curl -s -A "DetectionLab-logger" "https://detectionlab.network/logger"
 
 

README.md

@@ -34,71 +34,24 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
 * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
 * SMBv1 Auditing is enabled
 
-
 ## Requirements
 * 55GB+ of free disk space
 * 16GB+ of RAM
 * Packer 1.3.2 or newer
-* Vagrant 2.2.2 or newer
+* Vagrant 2.2.7 or newer
 * Virtualbox or VMWare Fusion/Workstation
 
 ---
 
-## Quickstart
+## Building Detection Lab
-* [AWS](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform))
+
+Please view the quickstart guides based on the operating system you are using. The AWS/Terraform DetectionLab can be launched from any operating system.
+
+* [AWS via Terraform](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform))
 * [MacOS](https://github.com/clong/DetectionLab/wiki/Quickstart---MacOS)
 * [Windows](https://github.com/clong/DetectionLab/wiki/Quickstart---Windows)
 * [Linux](https://github.com/clong/DetectionLab/wiki/Quickstart-Linux)
-
+* [ESXi](https://github.com/clong/DetectionLab/tree/master/ESXi)
----
-
-## Building DetectionLab from Scratch
-1. Determine which Vagrant provider you want to use. Current supported providers are:
-
-  - Virtualbox
-  - VMware Workstation & Fusion
-    - Note: Virtualbox is free, the [VMWare Desktop Vagrant plugin](https://www.vagrantup.com/vmware/#buy-now) is $80 and is required to use Vagrant with VMware.
-
-There are currently three ways to build the lab:
-* **Recommended**: Use the boxes hosted on [Vagrant Cloud](https://app.vagrantup.com/detectionlab). This method should take **~1 hour 20 minutes** total to download the boxes and provision the lab.
-* Build the boxes yourself using Packer. This method will take ~1-2 hours to build the boxes and another ~90-120 minutes to provision them for a total of **2.5 - 4 hours**.
-* [Provision the lab in AWS using Terraform](Terraform/README.md). The lab can be brought online in under **30 minutes**.
-
-If you choose to use the boxes hosted on Vagrant Cloud, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine.
-
-
-2. `cd` to the Packer directory and build the Windows 10 and Windows Server 2016 boxes using the commands below. Each build will take about 45 minutes.
-
-```
-$ cd detectionlab/Packer
-$ packer build --only=[vmware|virtualbox]-iso windows_10.json
-$ packer build --only=[vmware|virtualbox]-iso windows_2016.json
-```
-
-3. Once both boxes have built successfully, move the resulting boxes (.box files) in the Packer folder to the Boxes folder:
-
-    `mv *.box ../Boxes`
-
-4. `cd` into the Vagrant directory: `cd ../Vagrant` and edit the `Vagrantfile`. Change the lines `cfg.vm.box = "detectionlab/win2016"` and `cfg.vm.box = "detectionlab/win10` to `cfg.vm.box = "../Boxes/windows_2016_<provider>.box"` and "`cfg.vm.box = "../Boxes/windows_10_<provider>.box"` respectively.
-
-5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload`
-
-6. **VMware Only:**  
-  * [Buy a license](https://www.vagrantup.com/vmware/index.html#buy-now) for the VMware plugin
-  * Install it with `vagrant plugin install vagrant-vmware-desktop`.
-  * License it with `vagrant plugin license vagrant-vmware-desktop <path_to_.lic>`.
-  * Download and install the VMware Vagrant utility: https://www.vagrantup.com/vmware/downloads.html
-
-7. Ensure you are in the base DetectionLab folder and run `./build.sh` (Mac & Linux) or `./build.ps1` (Windows). This script will do the following:
-  * Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance.
-  * Provision the DC host and configure it as a Domain Controller
-  * Provision the WEF host and configure it as a Windows Event Collector in the Servers OU
-  * Provision the Win10 host and configure it as a computer in the Workstations OU
-
-8. Build logs will be present in the `Vagrant` folder as `vagrant_up_<host>.log`. If filing an issue, please paste the contents of that log into a Gist to help with debugging efforts.
-
-9. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen)
-10. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration).
 
 ---
 

build.ps1

@@ -98,12 +98,12 @@ function check_vagrant {
     break
   }
 
-  # Check Vagrant version >= 2.2.2
+  # Check Vagrant version >= 2.2.7
   [System.Version]$vagrant_version = $(vagrant --version).Split(' ')[1]
-  [System.Version]$version_comparison = 2.2.2
+  [System.Version]$version_comparison = 2.2.7
 
   if ($vagrant_version -lt $version_comparison) {
-    Write-Warning 'It is highly recommended to use Vagrant 2.2.2 or above before continuing'
+    Write-Warning 'It is highly recommended to use Vagrant 2.2.7 or above before continuing'
   }
 }
 

build.sh

@@ -29,10 +29,10 @@ check_vagrant_path() {
     (echo >&2 "Please correct this before continuing. Quitting.")
     exit 1
   fi
-  # Ensure Vagrant >= 2.2.2
+  # Ensure Vagrant >= 2.2.7
   # https://unix.stackexchange.com/a/285928
   VAGRANT_VERSION="$(vagrant --version | cut -d ' ' -f 2)"
-  REQUIRED_VERSION="2.2.2"
+  REQUIRED_VERSION="2.2.7"
   # If the version of Vagrant is not greater than the required version
   if ! [ "$(printf '%s\n' "$REQUIRED_VERSION" "$VAGRANT_VERSION" | sort -V | head -n1)" = "$REQUIRED_VERSION" ]; then
     (echo >&2 "WARNING: It is highly recommended to use Vagrant $REQUIRED_VERSION or above before continuing")