trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Logger bump to Ubuntu 18.04 & Migrate to Zeek

Browse Source
This commit is contained in:
Chris Long
2019-12-20 15:48:13 -08:00
parent beecfbf2e2
commit 7e17727cbb
9 changed files with 96 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Terraform/main.tf
View File

@@ -171,7 +171,7 @@ resource "aws_instance" "logger" {
# Provision the AWS Ubuntu 16.04 AMI from scratch. # Provision the AWS Ubuntu 16.04 AMI from scratch.
provisioner "remote-exec" { provisioner "remote-exec" {
inline = [ inline = [
"sudo add-apt-repository universe && sudo apt-get -qq update && sudo apt-get -qq install -y git", "sudo apt-get -qq update && sudo apt-get -qq install -y git",
"echo 'logger' | sudo tee /etc/hostname && sudo hostnamectl set-hostname logger", "echo 'logger' | sudo tee /etc/hostname && sudo hostnamectl set-hostname logger",
"sudo adduser --disabled-password --gecos \"\" vagrant && echo 'vagrant:vagrant' | sudo chpasswd", "sudo adduser --disabled-password --gecos \"\" vagrant && echo 'vagrant:vagrant' | sudo chpasswd",
"sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh", "sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh",
@@ -179,7 +179,6 @@ resource "aws_instance" "logger" {
"sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab", "sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab",
"sudo sed -i 's/eth1/eth0/g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's/eth1/eth0/g' /opt/DetectionLab/Vagrant/bootstrap.sh",
"sudo sed -i 's/ETH1/ETH0/g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's/ETH1/ETH0/g' /opt/DetectionLab/Vagrant/bootstrap.sh",
"sudo sed -i 's#/usr/local/go/bin/go get -u#GOPATH=/root/go /usr/local/go/bin/go get -u#g' /opt/DetectionLab/Vagrant/bootstrap.sh",
"sudo sed -i 's#/vagrant/resources#/opt/DetectionLab/Vagrant/resources#g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's#/vagrant/resources#/opt/DetectionLab/Vagrant/resources#g' /opt/DetectionLab/Vagrant/bootstrap.sh",
"sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config", "sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config",
"sudo service ssh restart", "sudo service ssh restart",

2
Terraform/variables.tf
View File

@@ -52,7 +52,7 @@ data "aws_ami" "logger_ami" {
filter { filter {
name = "name" name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20180912"] values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20191113"]
} }
} }

2
Vagrant/Vagrantfile vendored
View File

@@ -1,7 +1,7 @@
Vagrant.configure("2") do |config| Vagrant.configure("2") do |config|
config.vm.define "logger" do |cfg| config.vm.define "logger" do |cfg|
cfg.vm.box = "bento/ubuntu-16.04" cfg.vm.box = "bento/ubuntu-18.04"
cfg.vm.hostname = "logger" cfg.vm.hostname = "logger"
cfg.vm.provision :shell, path: "bootstrap.sh" cfg.vm.provision :shell, path: "bootstrap.sh"
cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8" cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"

137
Vagrant/bootstrap.sh
View File

@@ -3,7 +3,6 @@
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections; echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections;
echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections; echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections;
sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse" /etc/apt/sources.list
apt_install_prerequisites() { apt_install_prerequisites() {
echo "[$(date +%H:%M:%S)]: Adding apt repositories..." echo "[$(date +%H:%M:%S)]: Adding apt repositories..."
@@ -62,9 +61,9 @@ fix_eth1_static_ip() {
send host-name = gethostname(); send host-name = gethostname();
send dhcp-requested-address 192.168.38.105; send dhcp-requested-address 192.168.38.105;
}' >> /etc/dhcp/dhclient.conf }' >> /etc/dhcp/dhclient.conf
service networking restart netplan apply
# Fix eth1 if the IP isn't set correctly # Fix eth1 if the IP isn't set correctly
ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1) ETH1_IP=$(ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
if [ "$ETH1_IP" != "192.168.38.105" ]; then if [ "$ETH1_IP" != "192.168.38.105" ]; then
echo "Incorrect IP Address settings detected. Attempting to fix." echo "Incorrect IP Address settings detected. Attempting to fix."
ifdown eth1 ifdown eth1
@@ -111,13 +110,14 @@ install_splunk() {
/opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme' /opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme'
/opt/splunk/bin/splunk add index sysmon -auth 'admin:changeme' /opt/splunk/bin/splunk add index sysmon -auth 'admin:changeme'
/opt/splunk/bin/splunk add index powershell -auth 'admin:changeme' /opt/splunk/bin/splunk add index powershell -auth 'admin:changeme'
/opt/splunk/bin/splunk add index bro -auth 'admin:changeme' /opt/splunk/bin/splunk add index zeek -auth 'admin:changeme'
/opt/splunk/bin/splunk add index suricata -auth 'admin:changeme' /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
/opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme' /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme'
@@ -194,12 +194,12 @@ install_splunk() {
echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/system/local/ui-tour.conf echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/system/local/ui-tour.conf
mkdir /opt/splunk/etc/apps/user-prefs/local mkdir /opt/splunk/etc/apps/user-prefs/local
echo '[general] echo '[general]
render_version_messages = 0 render_version_messages = 0
hideInstrumentationOptInModal = 1 hideInstrumentationOptInModal = 1
dismissedInstrumentationOptInVersion = 2 dismissedInstrumentationOptInVersion = 2
[general_default] [general_default]
hideInstrumentationOptInModal = 1 hideInstrumentationOptInModal = 1
showWhatsNew = 0' > /opt/splunk/etc/system/local/user-prefs.conf showWhatsNew = 0' > /opt/splunk/etc/system/local/user-prefs.conf
# Enable SSL Login for Splunk # Enable SSL Login for Splunk
echo -e "[settings]\nenableSplunkWebSSL = true" > /opt/splunk/etc/system/local/web.conf echo -e "[settings]\nenableSplunkWebSSL = true" > /opt/splunk/etc/system/local/web.conf
@@ -244,14 +244,22 @@ download_palantir_osquery_config() {
} }
import_osquery_config_into_fleet() { import_osquery_config_into_fleet() {
wget --progress=bar:force https://github.com/kolide/fleet/releases/download/2.1.1/fleet_2.1.1.zip wget --progress=bar:force https://github.com/kolide/fleet/releases/download/2.4.0/fleet_2.4.0.zip
unzip fleet_2.1.1.zip -d fleet_2.1.1 unzip fleet_2.4.0.zip -d fleet_2.4.0
cp fleet_2.1.1/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl cp fleet_2.4.0/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl
fleetctl config set --address https://192.168.38.105:8412 fleetctl config set --address https://192.168.38.105:8412
fleetctl config set --tls-skip-verify true fleetctl config set --tls-skip-verify true
fleetctl setup --email admin@detectionlab.network --username admin --password 'admin123#' --org-name DetectionLab fleetctl setup --email admin@detectionlab.network --username admin --password 'admin123#' --org-name DetectionLab
fleetctl login --email admin@detectionlab.network --password 'admin123#' fleetctl login --email admin@detectionlab.network --password 'admin123#'
# Change the query invervals to reflect a lab environment
# Every hour -> Every 3 minutes
# Every 24 hours -> Every 15 minutes
sed -i 's/interval: 3600/interval: 180/g' osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
sed -i 's/interval: 3600/interval: 180/g' osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
# Use fleetctl to import YAML files # Use fleetctl to import YAML files
fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
@@ -264,27 +272,27 @@ import_osquery_config_into_fleet() {
/opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme' /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme'
} }
install_bro() { install_zeek() {
echo "[$(date +%H:%M:%S)]: Installing Bro..." echo "[$(date +%H:%M:%S)]: Installing Zeek..."
# Environment variables # Environment variables
NODECFG=/opt/bro/etc/node.cfg NODECFG=/opt/zeek/etc/node.cfg
SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json SPLUNK_ZEEK_JSON=/opt/splunk/etc/apps/Splunk_TA_bro
SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager' SPLUNK_ZEEK_MONITOR='monitor:///opt/zeek/spool/manager'
SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata' SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata'
SPLUNK_SURICATA_SOURCETYPE='json_suricata' SPLUNK_SURICATA_SOURCETYPE='json_suricata'
echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add - wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key
apt-key add - < /tmp/Release.key
# Update APT repositories # Update APT repositories
apt-get -qq -ym update apt-get -qq -ym update
# Install tools to build and configure bro # Install tools to build and configure Zeek
apt-get -qq -ym install bro crudini python-pip apt-get -qq -ym install zeek crudini python-pip
export PATH=$PATH:/opt/bro/bin export PATH=$PATH:/opt/zeek/bin
pip install bro-pkg future pip install zkg
bro-pkg refresh zkg refresh
bro-pkg autoconfig zkg autoconfig
bro-pkg install --force salesforce/ja3 zkg install --force salesforce/ja3
# Load bro scripts # Load Zeek scripts
echo ' echo '
@load protocols/ftp/software @load protocols/ftp/software
@load protocols/smtp/software @load protocols/smtp/software
@@ -296,59 +304,56 @@ install_bro() {
@load frameworks/intel/seen @load frameworks/intel/seen
@load frameworks/intel/do_notice @load frameworks/intel/do_notice
@load frameworks/files/hash-all-files @load frameworks/files/hash-all-files
@load policy/protocols/smb @load base/protocols/smb
@load policy/protocols/conn/vlan-logging @load policy/protocols/conn/vlan-logging
@load policy/protocols/conn/mac-logging @load policy/protocols/conn/mac-logging
@load ja3 @load ja3
redef Intel::read_files += { redef Intel::read_files += {
"/opt/bro/etc/intel.dat" "/opt/zeek/etc/intel.dat"
}; };
' >> /opt/bro/share/bro/site/local.bro ' >> /opt/zeek/share/zeek/site/local.zeek
# Configure Bro # Configure Zeek
crudini --del $NODECFG bro crudini --del $NODECFG zeek
crudini --set $NODECFG manager type manager crudini --set $NODECFG manager type manager
crudini --set $NODECFG manager host localhost crudini --set $NODECFG manager host localhost
crudini --set $NODECFG proxy type proxy crudini --set $NODECFG proxy type proxy
crudini --set $NODECFG proxy host localhost crudini --set $NODECFG proxy host localhost
# Setup $CPUS numbers of bro workers # Setup $CPUS numbers of Zeek workers
crudini --set $NODECFG worker-eth1 type worker crudini --set $NODECFG worker-eth1 type worker
crudini --set $NODECFG worker-eth1 host localhost crudini --set $NODECFG worker-eth1 host localhost
crudini --set $NODECFG worker-eth1 interface eth1 crudini --set $NODECFG worker-eth1 interface eth1
crudini --set $NODECFG worker-eth1 lb_method pf_ring crudini --set $NODECFG worker-eth1 lb_method pf_ring
crudini --set $NODECFG worker-eth1 lb_procs "$(nproc)" crudini --set $NODECFG worker-eth1 lb_procs "$(nproc)"
# Setup bro to run at boot # Setup Zeek to run at boot
cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service cp /vagrant/resources/zeek/zeek.service /lib/systemd/system/zeek.service
systemctl enable bro systemctl enable zeek
systemctl start bro systemctl start zeek
# Setup splunk TA to ingest bro and suricata data mkdir -p $SPLUNK_ZEEK_JSON/local
git clone https://github.com/jahshuah/splunk-ta-bro-json $SPLUNK_BRO_JSON cp $SPLUNK_ZEEK_JSON/default/inputs.conf $SPLUNK_ZEEK_JSON/local/inputs.conf
mkdir -p $SPLUNK_BRO_JSON/local crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek
cp $SPLUNK_BRO_JSON/default/inputs.conf $SPLUNK_BRO_JSON/local/inputs.conf crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR index bro crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR sourcetype json_bro crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR whitelist '.*\.log$' crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR blacklist '.*(communication|stderr)\.log$' crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR disabled 0 crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype json_suricata crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
crudini --set $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
crudini --set $SPLUNK_BRO_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0
# Ensure permissions are correct and restart splunk # Ensure permissions are correct and restart splunk
chown -R splunk $SPLUNK_BRO_JSON chown -R splunk $SPLUNK_ZEEK_JSON
/opt/splunk/bin/splunk restart /opt/splunk/bin/splunk restart
# Verify that Bro is running # Verify that Zeek is running
if ! pgrep -f bro > /dev/null; then if ! pgrep -f zeek > /dev/null; then
echo "Bro attempted to start but is not running. Exiting" echo "Zeek attempted to start but is not running. Exiting"
exit 1 exit 1
fi fi
} }
@@ -378,7 +383,7 @@ install_suricata() {
yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.tls yes yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.tls yes
yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.ssh yes yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.ssh yes
yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.smtp yes yq w -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.smtp yes
# Turn off traffic flow logging (duplicative of Bro and wrecks Splunk trial license) # Turn off traffic flow logging (duplicative of Zeek and wrecks Splunk trial license)
yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove HTTP yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove HTTP
yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove DNS yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove DNS
yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove TLS yq d -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove TLS
@@ -394,7 +399,7 @@ install_suricata() {
crudini --set --format=sh /etc/default/suricata '' iface eth1 crudini --set --format=sh /etc/default/suricata '' iface eth1
# update suricata signature sources # update suricata signature sources
suricata-update update-sources suricata-update update-sources
# disable protocol decode as it is duplicative of bro # disable protocol decode as it is duplicative of Zeek
echo re:protocol-command-decode >> /etc/suricata/disable.conf echo re:protocol-command-decode >> /etc/suricata/disable.conf
# enable et-open and attackdetection sources # enable et-open and attackdetection sources
suricata-update enable-source et/open suricata-update enable-source et/open
@@ -439,7 +444,7 @@ test_suricata_prerequisites() {
install_guacamole() { install_guacamole() {
echo "[$(date +%H:%M:%S)]: Installing Guacamole..." echo "[$(date +%H:%M:%S)]: Installing Guacamole..."
cd /home/vagrant cd /home/vagrant
apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng12-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0 tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
./configure &> /dev/null && make --quiet &> /dev/null && make --quiet install &> /dev/null || echo "[-] An error occurred while installing Guacamole." ./configure &> /dev/null && make --quiet &> /dev/null && make --quiet install &> /dev/null || echo "[-] An error occurred while installing Guacamole."
@@ -460,8 +465,10 @@ install_guacamole() {
} }
postinstall_tasks() { postinstall_tasks() {
# Include Splunk and Bro in the PATH # Include Splunk and Zeek in the PATH
echo export PATH="$PATH:/opt/splunk/bin:/opt/bro/bin" >> ~/.bashrc echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >> ~/.bashrc
# Ping DetectionLab server for usage statistics
curl -A "DetectionLab-logger" "https://detectionlab.network/logger"
} }
main() { main() {
@@ -474,7 +481,7 @@ main() {
download_palantir_osquery_config download_palantir_osquery_config
import_osquery_config_into_fleet import_osquery_config_into_fleet
install_suricata install_suricata
install_bro install_zeek
install_guacamole install_guacamole
postinstall_tasks postinstall_tasks
} }

2
Vagrant/resources/GPO/wef_configuration/manifest.xml Normal file → Executable file
View File

@@ -1 +1 @@
<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:56:17]]></BackupTime><ID><![CDATA[{AE232F63-0190-47EE-BAF9-B78754178376}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:46:11]]></BackupTime><ID><![CDATA[{F523FD69-7E4C-4315-93D0-557089F1B8A1}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Windows Event Forwarding Server]]></GPODisplayName></BackupInst></Backups> <Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{3869352D-95F3-4FB0-BCDA-40191D897625}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{fb2bbf1f-a40e-4090-bf1f-b9abdc11d3a5}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-12-04T05:59:36]]></BackupTime><ID><![CDATA[{1C916D7C-52F4-4EB4-8EA7-081349532B3C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:46:11]]></BackupTime><ID><![CDATA[{F523FD69-7E4C-4315-93D0-557089F1B8A1}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Windows Event Forwarding Server]]></GPODisplayName></BackupInst></Backups>

17
Vagrant/resources/bro/bro.service
View File

@@ -1,17 +0,0 @@
[Unit]
Description=Bro
After=network.target
[Service]
ExecStartPre=-/opt/bro/bin/broctl cleanup
ExecStartPre=/opt/bro/bin/broctl check
ExecStartPre=/opt/bro/bin/broctl install
ExecStart=/opt/bro/bin/broctl start
ExecStop=/opt/bro/bin/broctl stop
RestartSec=10s
Type=oneshot
RemainAfterExit=yes
TimeoutStopSec=600
[Install]
WantedBy=multi-user.target

BIN
Vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz Normal file
View File

Binary file not shown.

17
Vagrant/resources/zeek/zeek.service Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=Zeek
After=network.target
[Service]
ExecStartPre=-/opt/zeek/bin/zeekctl cleanup
ExecStartPre=/opt/zeek/bin/zeekctl check
ExecStartPre=/opt/zeek/bin/zeekctl install
ExecStart=/opt/zeek/bin/zeekctl start
ExecStop=/opt/zeek/bin/zeekctl stop
RestartSec=10s
Type=oneshot
RemainAfterExit=yes
TimeoutStopSec=600
[Install]
WantedBy=multi-user.target

3
Vagrant/scripts/provision.ps1
View File

@@ -7,6 +7,9 @@ $box = $box.ComputerName.ToString().ToLower()
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting timezone to UTC..."
c:\windows\system32\tzutil.exe /s "UTC" c:\windows\system32\tzutil.exe /s "UTC"
# Ping DetectionLab server for usage statistics
curl -userAgent "DetectionLab-$box" "https://detectionlab.network/$box" -UseBasicParsing | out-null
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disable IPv6 on all network adatpers..." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disable IPv6 on all network adatpers..."
Get-NetAdapterBinding -ComponentID ms_tcpip6 | ForEach-Object {Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6} Get-NetAdapterBinding -ComponentID ms_tcpip6 | ForEach-Object {Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6}
Get-NetAdapterBinding -ComponentID ms_tcpip6 Get-NetAdapterBinding -ComponentID ms_tcpip6