Fix formatting, add Splunk ASN lookup app

Vagrant/Vagrantfile

@@ -64,7 +64,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
-    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true
+    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
 
     cfg.vm.provider "vmware_fusion" do |v, override|
@@ -111,7 +111,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
-    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true
+    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true
     cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: true
@@ -169,7 +169,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: true
-    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true
+    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true
     cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true

Vagrant/bootstrap.sh

@@ -15,12 +15,11 @@ apt_install_prerequisites() {
 fix_eth1_static_ip() {
   # There's a fun issue where dhclient keeps messing with eth1 despite the fact
   # that eth1 has a static IP set. We workaround this by setting a static DHCP lease.
-  echo -e 'lease {
+  echo -e 'interface "eth1" {
-      interface "eth1";
+    send host-name = gethostname();
-      fixed-address 192.168.38.105;
     send dhcp-requested-address 192.168.38.105;
   }' >> /etc/dhcp/dhclient.conf
-  systemctl restart networking.service
+  service networking restart
   # Fix eth1 if the IP isn't set correctly
   ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
   if [ "$ETH1_IP" != "192.168.38.105" ]; then
@@ -66,6 +65,7 @@ install_golang() {
     echo 'export GOROOT=/usr/local/go' >> /home/vagrant/.bashrc
     echo 'export GOPATH=$HOME/.go' >> /root/.bashrc
     echo 'export GOROOT=/usr/local/go' >> /root/.bashrc
+    echo 'export PATH=$PATH:/opt/splunk/bin' >> /root/.bashrc
     source /root/.bashrc
     sudo update-alternatives --install "/usr/bin/go" "go" "/usr/local/go/bin/go" 0
     sudo update-alternatives --set go /usr/local/go/bin/go
@@ -96,11 +96,15 @@ install_splunk() {
     /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_012.tgz -auth 'admin:changeme'
     # Add a Splunk TCP input on port 9997
     echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf
     # Add props.conf and transforms.conf
     cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/
     cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/
+    cp /opt/splunk/etc/system/default/limits.conf /opt/splunk/etc/system/local/limits.conf
+    # Bump the memtable limits to allow for the ASN lookup table
+    sed -i .bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf
     # Skip Splunk Tour and Change Password Dialog
     touch /opt/splunk/etc/.ui_login
     # Enable SSL Login for Splunk
@@ -109,6 +113,8 @@ install_splunk() {
     # Reboot Splunk to make changes take effect
     /opt/splunk/bin/splunk restart
     /opt/splunk/bin/splunk enable boot-start
+    # Generate the ASN lookup table
+    /opt/splunk/bin/splunk search "|asngen | outputlookup asn" -auth 'admin:changeme'
   fi
 }
 
@@ -222,7 +228,7 @@ install_caldera() {
 }
 
 install_bro() {
-    # environment variables
+  # Environment variables
   NODECFG=/opt/bro/etc/node.cfg
   SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json
   SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager'
@@ -230,11 +236,11 @@ install_bro() {
   echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list
   curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add -
 
-  # update APT repositories
+  # Update APT repositories
   apt-get -qq -ym update
-  # install tools to build and configure bro
+  # Install tools to build and configure bro
   apt-get -qq -ym install bro crudini
-  # load bro scripts
+  # Load bro scripts
   echo '
   @load protocols/ftp/software
   @load protocols/smtp/software