Multiple fixes, additions

README.md

@@ -85,9 +85,9 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json
   * Provision the WEF host and configure it as a Windows Event Collector in the Servers OU
   * Provision the Win10 host and configure it as a computer in the Workstations OU
 
-7. Navigate to https://192.168.38.5:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen)
-8. Navigate to https://192.168.38.5:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration).
-9. Navigate to https://192.168.38.5:8888 in a browser to access the Caldera server on logger. Default credentials are admin:caldera.
+7. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen)
+8. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration).
+9. Navigate to https://192.168.38.105:8888 in a browser to access the Caldera server on logger. Default credentials are admin:caldera.
 
 ## Basic Vagrant Usage
 Vagrant commands must be run from the "Vagrant" folder.
@@ -108,10 +108,10 @@ Vagrant commands must be run from the "Vagrant" folder.
 ## Lab Information
 * Domain Name: windomain.local
 * Admininstrator login: vagrant:vagrant
-* Fleet login: https://192.168.38.5:8412 - admin:admin123#
-* Splunk login: https://192.168.38.5:8000 - admin:changeme
-* Caldera login: https://192.168.38.5:8888 - admin:caldera
-* MS ATA login: https://192.168.38.3 - wef\vagrant:vagrant
+* Fleet login: https://192.168.38.105:8412 - admin:admin123#
+* Splunk login: https://192.168.38.105:8000 - admin:changeme
+* Caldera login: https://192.168.38.105:8888 - admin:caldera
+* MS ATA login: https://192.168.38.103 - wef\vagrant:vagrant
 
 ## Lab Hosts
 * DC - Windows 2016 Domain Controller

Vagrant/Vagrantfile

@@ -4,7 +4,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.box = "bento/ubuntu-16.04"
     cfg.vm.hostname = "logger"
     config.vm.provision :shell, path: "bootstrap.sh"
-    cfg.vm.network :private_network, ip: "192.168.38.5", gateway: "192.168.38.1", dns: "8.8.8.8"
+    cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"
 
     cfg.vm.provider "vmware_fusion" do |v, override|
       v.vmx["displayname"] = "logger"
@@ -45,9 +45,9 @@ Vagrant.configure("2") do |config|
     cfg.winrm.basic_auth_only = true
     cfg.winrm.timeout = 300
     cfg.winrm.retry_limit = 20
-    cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1"
+    cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1"
 
-    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.2"
+    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.102"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
@@ -64,6 +64,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
+    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
 
     cfg.vm.provider "vmware_fusion" do |v, override|
@@ -102,14 +103,15 @@ Vagrant.configure("2") do |config|
     cfg.winrm.basic_auth_only = true
     cfg.winrm.timeout = 300
     cfg.winrm.retry_limit = 20
-    cfg.vm.network :private_network, ip: "192.168.38.3", gateway: "192.168.38.1", dns: "192.168.38.2"
+    cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"
 
-    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.3 -dns 192.168.38.2"
+    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.103 -dns 192.168.38.102"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
+    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true
     cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: true
@@ -158,15 +160,16 @@ Vagrant.configure("2") do |config|
     cfg.winrm.basic_auth_only = true
     cfg.winrm.timeout = 300
     cfg.winrm.retry_limit = 20
-    cfg.vm.network :private_network, ip: "192.168.38.4", gateway: "192.168.38.1", dns: "192.168.38.2"
+    cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"
 
-    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.4 -dns 192.168.38.2"
+    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: true
+    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl “$_”}', privileged: true
     cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true

Vagrant/bootstrap.sh

@@ -14,19 +14,23 @@ apt_install_prerequisites() {
 
 fix_eth1_static_ip() {
   # There's a fun issue where dhclient keeps messing with eth1 despite the fact
-  # that eth1 has a static IP set. We workaround this by telling dhclient to leave it alone.
-  echo 'interface "eth1" {}' >> /etc/dhcp/dhclient.conf
+  # that eth1 has a static IP set. We workaround this by setting a static DHCP lease.
+  echo -e 'lease {
+      interface "eth1";
+      fixed-address 192.168.38.105;
+      send dhcp-requested-address 192.168.38.105;
+    }' >> /etc/dhcp/dhclient.conf
   systemctl restart networking.service
   # Fix eth1 if the IP isn't set correctly
   ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
-  if [ "$ETH1_IP" != "192.168.38.5" ]; then
+  if [ "$ETH1_IP" != "192.168.38.105" ]; then
     echo "Incorrect IP Address settings detected. Attempting to fix."
     ifdown eth1
     ip addr flush dev eth1
     ifup eth1
     ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
-    if [ "$ETH1_IP" == "192.168.38.5" ]; then
-      echo "The static IP has been fixed and set to 192.168.38.5"
+    if [ "$ETH1_IP" == "192.168.38.105" ]; then
+      echo "The static IP has been fixed and set to 192.168.38.105"
     else
       echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
       exit 1
@@ -158,30 +162,30 @@ import_osquery_config_into_fleet() {
     cd /home/vagrant/osquery-configuration/Endpoints/Windows/ || exit
     # Fleet requires you to login before importing packs
     # Login
-    curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure
+    curl 'https://192.168.38.105:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/login' -H 'authority: 192.168.38.105:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure
     sleep 1
-    curl 'https://192.168.38.5:8412/setup' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'authority: 192.168.38.5:8412' --compressed --insecure
+    curl 'https://192.168.38.105:8412/setup' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'authority: 192.168.38.105:8412' --compressed --insecure
     sleep 1
     # Setup organization name and email address
-    curl 'https://192.168.38.5:8412/api/v1/setup' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/setup' -H 'authority: 192.168.38.5:8412' --data-binary '{"kolide_server_url":"https://192.168.38.5:8412","org_info":{"org_name":"detectionlab"},"admin":{"admin":true,"email":"example@example.com","password":"admin123#","password_confirmation":"admin123#","username":"admin"}}' --compressed --insecure
+    curl 'https://192.168.38.105:8412/api/v1/setup' -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/setup' -H 'authority: 192.168.38.105:8412' --data-binary '{"kolide_server_url":"https://192.168.38.105:8412","org_info":{"org_name":"detectionlab"},"admin":{"admin":true,"email":"example@example.com","password":"admin123#","password_confirmation":"admin123#","username":"admin"}}' --compressed --insecure
     sleep 3
     # Import all Windows configs
     /home/vagrant/configimporter/configimporter -host https://localhost:8412 -user 'admin' -config osquery_to_import.conf
 
     # Get auth token
-    TOKEN=$(curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure | grep token | cut -d '"' -f 4)
+    TOKEN=$(curl 'https://192.168.38.105:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/login' -H 'authority: 192.168.38.105:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure | grep token | cut -d '"' -f 4)
     # Set all packs to be targeted to Windows hosts
-    curl 'https://192.168.38.5:8412/api/v1/kolide/packs/1' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+    curl 'https://192.168.38.105:8412/api/v1/kolide/packs/1' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
     sleep 1
-    curl 'https://192.168.38.5:8412/api/v1/kolide/packs/2' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+    curl 'https://192.168.38.105:8412/api/v1/kolide/packs/2' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
     sleep 1
-    curl 'https://192.168.38.5:8412/api/v1/kolide/packs/3' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+    curl 'https://192.168.38.105:8412/api/v1/kolide/packs/3' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
     sleep 1
-    curl 'https://192.168.38.5:8412/api/v1/kolide/packs/4' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+    curl 'https://192.168.38.105:8412/api/v1/kolide/packs/4' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
     sleep 1
-    curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
+    curl 'https://192.168.38.105:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/3/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure
     # Rename primary pack
-    curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/5/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"name":"windows-pack"}' --compressed --insecure
+    curl 'https://192.168.38.105:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.105:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.105:8412/packs/5/edit' -H 'authority: 192.168.38.105:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"name":"windows-pack"}' --compressed --insecure
     # Add Splunk monitors for Fleet
     /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_result" -index osquery -sourcetype 'osquery:json' -auth 'admin:changeme'
     /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme'
@@ -223,122 +227,139 @@ install_bro() {
 	SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json
 	SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager'
 	SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata'
-    echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list
-    curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add -
-    # update APT repositories
+  echo "deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /" > /etc/apt/sources.list.d/bro.list
+  curl -s http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/Release.key |apt-key add -
+
+  # update APT repositories
 	apt-get -qq -ym update
-    apt-get -qq -ym install \
-        bro \
-        crudini \
-    # install tools to build and configure bro
+  # install tools to build and configure bro
+  apt-get -qq -ym install bro crudini
+  # load bro scripts
+	echo '
+  @load protocols/ftp/software
+  @load protocols/smtp/software
+  @load protocols/ssh/software
+  @load protocols/http/software
+  @load tuning/json-logs
+  @load policy/integration/collective-intel
+  @load policy/frameworks/intel/do_notice
+  @load frameworks/intel/seen
+  @load frameworks/intel/do_notice
+  @load frameworks/files/hash-all-files
+  @load policy/protocols/smb
+  @load policy/protocols/conn/vlan-logging
+  @load policy/protocols/conn/mac-logging
 
-    # load bro scripts
-	cat<<EOF >> /opt/bro/share/bro/site/local.bro
-
-@load protocols/ftp/software
-@load protocols/smtp/software
-@load protocols/ssh/software
-@load protocols/http/software
-
-@load tuning/json-logs
-@load policy/integration/collective-intel
-@load policy/frameworks/intel/do_notice
-
-@load frameworks/intel/seen
-@load frameworks/intel/do_notice
-@load frameworks/files/hash-all-files
-
-@load policy/protocols/smb
-
-@load policy/protocols/conn/vlan-logging
-
-@load policy/protocols/conn/mac-logging
-
-redef Intel::read_files += {
+  redef Intel::read_files += {
         "/opt/bro/etc/intel.dat"
-};
+  };
+  ' >> /opt/bro/share/bro/site/local.bro
 
-EOF
-
-
-    # configure bro
+  # Configure Bro
 	crudini --del $NODECFG bro
 	crudini --set $NODECFG manager type manager
 	crudini --set $NODECFG manager host localhost
 	crudini --set $NODECFG proxy type proxy
 	crudini --set $NODECFG proxy host localhost
-	CPUS=$(lscpu  -e |awk /yes/'{print $1'} |wc -l)
 
-    # setup $CPUS numbers of bro workers
-	for i in eth1
-	do
-			crudini --set $NODECFG worker-$i type worker
-			crudini --set $NODECFG worker-$i host localhost
-			crudini --set $NODECFG worker-$i interface $i
-			crudini --set $NODECFG worker-$i lb_method pf_ring
-			crudini --set $NODECFG worker-$i lb_procs $CPUS
-	done
+  # Setup $CPUS numbers of bro workers
+	crudini --set $NODECFG worker-eth1 type worker
+	crudini --set $NODECFG worker-eth1 host localhost
+	crudini --set $NODECFG worker-eth1 interface eth1
+	crudini --set $NODECFG worker-eth1 lb_method pf_ring
+	crudini --set $NODECFG worker-eth1 lb_procs "$(nproc)"
 
-    # setup bro to run at boot
-    cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service
+  # Setup bro to run at boot
+  cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service
+  systemctl enable bro
+  systemctl start bro
 
-    for i in bro
-    do
-        systemctl enable $i
-        systemctl start $i
-    done
-
-    # setup splunk TA to ingest bro and suricata data
+  # Setup splunk TA to ingest bro and suricata data
 	git clone https://github.com/jahshuah/splunk-ta-bro-json $SPLUNK_BRO_JSON
 
 	mkdir -p $SPLUNK_BRO_JSON/local
 	cp $SPLUNK_BRO_JSON/default/inputs.conf $SPLUNK_BRO_JSON/local/inputs.conf
 
-
 	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR index   bro
 	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR sourcetype   json_bro
 	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR whitelist   '.*\.log$'
 	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR blacklist   '.*(communication|stderr)\.log$'
 	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR disabled   0
-
-
-
 	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index   suricata
 	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype   json_suricata
 	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist   'eve.json'
 	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled   0
 
-    # ensure permissions are correct and restart splunk
+  # Ensure permissions are correct and restart splunk
 	chown -R splunk $SPLUNK_BRO_JSON
-    /opt/splunk/bin/splunk restart
+  /opt/splunk/bin/splunk restart
+
+  # Verify that Bro is running
+  if ! pgrep -f bro > /dev/null; then
+    echo "Bro attempted to start but is not running. Exiting"
+    exit 1
+  fi
 }
 
 install_suricata() {
-    # install yq to maniuplate the suricata.yaml inline
+    # Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts
+
+    # Install yq to maniuplate the suricata.yaml inline
     /usr/bin/go get -u  github.com/mikefarah/yq
-    # install suricata
+    # Install suricata
     add-apt-repository -y ppa:oisf/suricata-stable
     apt-get -qq -y update && apt-get -qq -y install suricata crudini
-    # install suricata-update
-    pip3.6 install --pre --upgrade suricata-update
-    # add DC_SERVERS variable to suricata.yaml in support et-open signatures
+    # Install suricata-update
+    cd /home/vagrant || exit 1
+    git clone https://github.com/OISF/suricata-update.git
+    cd /home/vagrant/suricata-update || exit 1
+    python setup.py install
+    # Add DC_SERVERS variable to suricata.yaml in support et-open signatures
     /root/go/bin/yq w  -i /etc/suricata/suricata.yaml vars.address-groups.DC_SERVERS '$HOME_NET'
-    sed -i '0,/^/s//%YAML 1.1\n---\n/' /etc/suricata/suricata.yaml
+
+    # It may make sense to store the suricata.yaml file as a resource file if this begins to become too complex
+    # Add more verbose alert logging
+    /root/go/bin/yq w  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload true
+    /root/go/bin/yq w  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-buffer-size 4kb
+    /root/go/bin/yq w  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.payload-printable yes
+    /root/go/bin/yq w  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.packet yes
+    /root/go/bin/yq w  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.http yes
+    /root/go/bin/yq w  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.tls yes
+    /root/go/bin/yq w  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.ssh yes
+    /root/go/bin/yq w  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.0.alert.smtp yes
+    # Turn off traffic flow logging (duplicative of Bro and wrecks Splunk trial license)
+    /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove HTTP
+    /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove DNS
+    /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.1 # Remove TLS
+    /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SMTP
+    /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove SSH
+    /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Stats
+    /root/go/bin/yq d  -i /etc/suricata/suricata.yaml outputs.1.eve-log.types.2 # Remove Flow
+    # AF packet monitoring should be set to eth1
+    /root/go/bin/yq w -i /etc/suricata/suricata.yaml af-packet.0.interface eth1
+
     crudini --set --format=sh /etc/default/suricata '' iface eth1
     # update suricata signature sources
     suricata-update update-sources
     # disable protocol decode as it is duplicative of bro
     echo re:protocol-command-decode >> /etc/suricata/disable.conf
     # enable et-open and attackdetection sources
-    for i in et/open ptresearch/attackdetection
-    do
-                suricata-update enable-source $i
+    suricata-update enable-source et/open
+    suricata-update enable-source ptresearch/attackdetection
+    # Add the YAML header to the top of the suricata config
+    echo "Adding the YAML header to /etc/suricata/suricata.yaml"
+    echo -e "%YAML 1.1\n---\n$(cat /etc/suricata/suricata.yaml)" > /etc/suricata/suricata.yaml
 
-            done
-    # update suricata and restart
+    # Update suricata and restart
     suricata-update
-    systemctl restart suricata
+    service suricata stop
+    service suricata start
 
+    # Verify that Suricata is running
+    if ! pgrep -f suricata > /dev/null; then
+      echo "Suricata attempted to start but is not running. Exiting"
+      exit 1
+    fi
 }
 
 main() {

Vagrant/scripts/install-caldera-agent.ps1

@@ -2,7 +2,7 @@
 
 If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) {
   # Add /etc/hosts entry
-  Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.5    logger"
+  Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.105    logger"
 
   # Make the directory
   New-Item "c:\Program Files\cagent" -type directory

Vagrant/scripts/install-osquery.ps1

@@ -19,7 +19,7 @@ If (-not ($service)) {
   ###  --- TLS CONFIG BEGINS ---
   ### COMMENT ALL LINES BELOW UNTIL "TLS CONFIG ENDS" if using local configuration
   ## Add entry to hosts file for Kolide for SSL validation
-  Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.5    kolide"
+  Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.105    kolide"
   ## Add kolide secret and avoid BOM
   $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
   [System.IO.File]::WriteAllLines("c:\ProgramData\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding)

Vagrant/scripts/install-splunkuf.ps1

@@ -6,7 +6,7 @@ If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"))
 
   Write-Host "Installing & Starting Splunk"
   (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
-  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
+  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
 } Else {
   Write-Host "Splunk is already installed. Moving on."
 }

Vagrant/scripts/join-domain.ps1

@@ -4,7 +4,7 @@
 Write-Host 'Join the domain'
 
 Write-Host "First, set DNS to DC to join the domain"
-$newDNSServers = "192.168.38.2"
+$newDNSServers = "192.168.38.102"
 $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."}
 $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}
 

Vagrant/scripts/provision.ps1

@@ -26,7 +26,7 @@ if ($env:COMPUTERNAME -imatch 'vagrant') {
   }
 
   if ($env:COMPUTERNAME -imatch 'dc') {
-    . c:\vagrant\scripts\create-domain.ps1 192.168.38.2
+    . c:\vagrant\scripts\create-domain.ps1 192.168.38.102
   } else {
     . c:\vagrant\scripts\join-domain.ps1
   }

build.ps1

@@ -394,19 +394,19 @@ function download {
 function post_build_checks {
 
   Write-Verbose '[post_build_checks] Running Caldera Check.'
-  $CALDERA_CHECK = download -URL 'https://192.168.38.5:8888' -PatternToMatch '<title>CALDERA</title>'
+  $CALDERA_CHECK = download -URL 'https://192.168.38.105:8888' -PatternToMatch '<title>CALDERA</title>'
   Write-Verbose "[post_build_checks] Cladera Result: $CALDERA_CHECK"
 
   Write-Verbose '[post_build_checks] Running Splunk Check.'
-  $SPLUNK_CHECK = download -URL 'https://192.168.38.5:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk'
+  $SPLUNK_CHECK = download -URL 'https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk'
   Write-Verbose "[post_build_checks] Splunk Result: $SPLUNK_CHECK"
 
   Write-Verbose '[post_build_checks] Running Fleet Check.'
-  $FLEET_CHECK = download -URL 'https://192.168.38.5:8412' -PatternToMatch 'Kolide Fleet'
+  $FLEET_CHECK = download -URL 'https://192.168.38.105:8412' -PatternToMatch 'Kolide Fleet'
   Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK"
 
   Write-Verbose '[post_build_checks] Running MS ATA Check.'
-  $ATA_CHECK = download -URL 'https://192.168.38.3' -SuccessOn401
+  $ATA_CHECK = download -URL 'https://192.168.38.103' -SuccessOn401
   Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK"
 
 

build.sh

@@ -251,10 +251,10 @@ vagrant_reload_host() {
 post_build_checks() {
   # If the curl operation fails, we'll just leave the variable equal to 0
   # This is needed to prevent the script from exiting if the curl operation fails
-  CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.5:8888 | grep -c '302: Found' || echo "")
-  SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.5:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "")
-  FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.5:8412 | grep -c 'Kolide Fleet' || echo "")
-  ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.3 -m 2)
+  CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.105:8888 | grep -c '302: Found' || echo "")
+  SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "")
+  FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet' || echo "")
+  ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2)
   [[ $ATA_CHECK == 401 ]] && ATA_CHECK=1
 
   BASH_MAJOR_VERSION=$(/bin/bash --version | grep 'GNU bash' | grep -o version\.\.. | cut -d ' ' -f 2 | cut -d '.' -f 1)