Fixing logger bugs, updating vm tools, updating Win10 ISO
This commit is contained in:
Chris Long
11
Vagrant/Vagrantfile
vendored
11
Vagrant/Vagrantfile
vendored
@@ -1,11 +1,5 @@
|
||||
|
||||
|
||||
Vagrant.configure("2") do |config|
|
||||
|
||||
config.vm.provider "libvirt" do |libvirt|
|
||||
|
||||
end
|
||||
|
||||
config.vm.define "logger" do |cfg|
|
||||
cfg.vm.box = "bento/ubuntu-18.04"
|
||||
cfg.vm.hostname = "logger"
|
||||
@@ -84,6 +78,7 @@ Vagrant.configure("2") do |config|
|
||||
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
|
||||
cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
|
||||
cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
|
||||
cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
v.vmx["displayname"] = "dc.windomain.local"
|
||||
@@ -132,7 +127,6 @@ Vagrant.configure("2") do |config|
|
||||
|
||||
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: true, args: "-ip 192.168.38.103 -dns 8.8.8.8 -gateway 192.168.38.1"
|
||||
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
||||
cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", privileged: false
|
||||
cfg.vm.provision "reload"
|
||||
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
||||
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
|
||||
@@ -150,6 +144,7 @@ Vagrant.configure("2") do |config|
|
||||
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
|
||||
cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
|
||||
cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: false
|
||||
cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
v.vmx["displayname"] = "wef.windomain.local"
|
||||
@@ -196,7 +191,6 @@ Vagrant.configure("2") do |config|
|
||||
cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: true, args: "-ip 192.168.38.104 -dns 8.8.8.8 -gateway 192.168.38.1"
|
||||
cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
|
||||
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
||||
cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", privileged: false
|
||||
cfg.vm.provision "reload"
|
||||
cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
|
||||
cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
|
||||
@@ -208,6 +202,7 @@ Vagrant.configure("2") do |config|
|
||||
cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
|
||||
cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
|
||||
cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
|
||||
cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false
|
||||
|
||||
cfg.vm.provider "vmware_desktop" do |v, override|
|
||||
v.vmx["displayname"] = "win10.windomain.local"
|
||||
|
||||
@@ -1,5 +1,13 @@
|
||||
#! /bin/bash
|
||||
|
||||
# Get a free Maxmind license here: https://www.maxmind.com/en/geolite2/signup
|
||||
# Required for the ASNgen app to work: https://splunkbase.splunk.com/app/3531/
|
||||
export MAXMIND_LICENSE=
|
||||
if [ -z $MAXMIND_LICENSE ]; then
|
||||
echo "Note: You have not entered a MaxMind license key on line 5 of bootstrap.sh, so the ASNgen Splunk app may not work correctly."
|
||||
echo "However, it is not required and everything else should function correctly."
|
||||
fi
|
||||
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections
|
||||
echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections
|
||||
@@ -133,7 +141,7 @@ install_splunk() {
|
||||
/opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_110.tgz -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
|
||||
@@ -142,6 +150,13 @@ install_splunk() {
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
|
||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme'
|
||||
|
||||
# Install the Maxmind license key for the ASNgen App
|
||||
if [ ! -z $MAXMIND_LICENSE ]; then
|
||||
mkdir /opt/splunk/etc/apps/TA-asngen/local
|
||||
cp /opt/splunk/etc/apps/TA-asngen/default/asngen.conf /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
|
||||
sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
|
||||
fi
|
||||
|
||||
# Add custom Macro definitions for ThreatHunting App
|
||||
cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
|
||||
# Fix Windows TA macros
|
||||
@@ -174,8 +189,6 @@ render_version_messages = 1
|
||||
dismissedInstrumentationOptInVersion = 4
|
||||
notification_python_3_impact = false
|
||||
display.page.home.dashboardId = /servicesNS/nobody/search/data/ui/views/logger_dashboard' > /opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf
|
||||
# Disable the instrumentation popup
|
||||
echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >>/opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
|
||||
# Enable SSL Login for Splunk
|
||||
echo -e "[settings]\nenableSplunkWebSSL = true" >/opt/splunk/etc/system/local/web.conf
|
||||
# Copy over the Logger Dashboard
|
||||
@@ -186,8 +199,6 @@ display.page.home.dashboardId = /servicesNS/nobody/search/data/ui/views/logger_d
|
||||
# Reboot Splunk to make changes take effect
|
||||
/opt/splunk/bin/splunk restart
|
||||
/opt/splunk/bin/splunk enable boot-start
|
||||
# Generate the ASN lookup table
|
||||
/opt/splunk/bin/splunk search "|asngen | outputlookup asn" -auth 'admin:changeme'
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -267,7 +278,7 @@ install_zeek() {
|
||||
SPLUNK_SURICATA_SOURCETYPE='json_suricata'
|
||||
sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
|
||||
wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key
|
||||
apt-key add - </tmp/Release.key
|
||||
apt-key add - </tmp/Release.key &>/dev/null
|
||||
# Update APT repositories
|
||||
apt-get -qq -ym update
|
||||
# Install tools to build and configure Zeek
|
||||
@@ -403,7 +414,7 @@ install_guacamole() {
|
||||
cd /opt
|
||||
apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
|
||||
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
|
||||
tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
|
||||
tar -xf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
|
||||
./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole."
|
||||
ldconfig
|
||||
cd /var/lib/tomcat8/webapps
|
||||
@@ -425,7 +436,7 @@ postinstall_tasks() {
|
||||
# Include Splunk and Zeek in the PATH
|
||||
echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc
|
||||
# Ping DetectionLab server for usage statistics
|
||||
curl -A "DetectionLab-logger" "https://detectionlab.network/logger"
|
||||
curl -s -A "DetectionLab-logger" "https://detectionlab.network/logger"
|
||||
}
|
||||
|
||||
main() {
|
||||
|
||||
Binary file not shown.
BIN
Vagrant/resources/splunk_server/asn-lookup-generator_110.tgz
Normal file
BIN
Vagrant/resources/splunk_server/asn-lookup-generator_110.tgz
Normal file
Binary file not shown.
Reference in New Issue
Block a user