From ab9dd9487cdb484f663da52e8a36184830f653b0 Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Wed, 13 Jan 2021 12:05:16 -0800
Subject: [PATCH] Fix Zeek/Suricata on AWS

---
 AWS/Terraform/main.tf       |  1 +
 Vagrant/logger_bootstrap.sh | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/AWS/Terraform/main.tf b/AWS/Terraform/main.tf
index f979483..db9b530 100644
--- a/AWS/Terraform/main.tf
+++ b/AWS/Terraform/main.tf
@@ -193,6 +193,7 @@ resource "aws_instance" "logger" {
       "sudo sed -i 's/eth1/ens5/g' /opt/DetectionLab/Vagrant/logger_bootstrap.sh",
       "sudo sed -i 's/ETH1/ens5/g' /opt/DetectionLab/Vagrant/logger_bootstrap.sh",
       "sudo sed -i 's/eth1/ens5/g' /opt/DetectionLab/Vagrant/resources/suricata/suricata.yaml",
+      "sudo sed -i -e '127,130d' /opt/DetectionLab/Vagrant/resources/suricata/suricata.yaml",
       "sudo sed -i 's#/vagrant/resources#/opt/DetectionLab/Vagrant/resources#g' /opt/DetectionLab/Vagrant/logger_bootstrap.sh",
       "sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config",
       "sudo service ssh restart",
diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh
index 908b956..e6d58a9 100644
--- a/Vagrant/logger_bootstrap.sh
+++ b/Vagrant/logger_bootstrap.sh
@@ -377,11 +377,17 @@ install_zeek() {
   crudini --set $NODECFG proxy host localhost
 
   # Setup $CPUS numbers of Zeek workers
-  crudini --set $NODECFG worker-eth0 type worker
-  crudini --set $NODECFG worker-eth0 host localhost
-  crudini --set $NODECFG worker-eth0 interface eth0
-  crudini --set $NODECFG worker-eth0 lb_method pf_ring
-  crudini --set $NODECFG worker-eth0 lb_procs "$(nproc)"
+  # AWS only has a single interface (eth1), so don't monitor eth0 if we're in AWS
+  if ! curl -s 169.254.169.254 --connect-timeout 2 >/dev/null; then 
+  # TL;DR of ^^^: if you can't reach the AWS metadata service, you're not running in AWS
+  # Therefore, it's ok to add this.
+    crudini --set $NODECFG worker-eth0 type worker
+    crudini --set $NODECFG worker-eth0 host localhost
+    crudini --set $NODECFG worker-eth0 interface eth0
+    crudini --set $NODECFG worker-eth0 lb_method pf_ring
+    crudini --set $NODECFG worker-eth0 lb_procs "$(nproc)"
+  fi
+  
   crudini --set $NODECFG worker-eth1 type worker
   crudini --set $NODECFG worker-eth1 host localhost
   crudini --set $NODECFG worker-eth1 interface eth1