Make sure we have a DNS resolution when calling fix_eth1_static_ip.
This commit is contained in:
Ahmed Shawky
@@ -1,8 +1,8 @@
|
|||||||
#! /bin/bash
|
#! /bin/bash
|
||||||
|
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections;
|
echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections
|
||||||
echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections;
|
echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections
|
||||||
|
|
||||||
sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt bionic main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-security main restricted universe multiverse" /etc/apt/sources.list
|
sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt bionic main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-security main restricted universe multiverse" /etc/apt/sources.list
|
||||||
|
|
||||||
@@ -12,7 +12,7 @@ apt_install_prerequisites() {
|
|||||||
add-apt-repository -y ppa:apt-fast/stable
|
add-apt-repository -y ppa:apt-fast/stable
|
||||||
# Add repository for yq
|
# Add repository for yq
|
||||||
add-apt-repository -y ppa:rmescandon/yq
|
add-apt-repository -y ppa:rmescandon/yq
|
||||||
# Add repository for suricata
|
# Add repository for suricata
|
||||||
add-apt-repository -y ppa:oisf/suricata-stable
|
add-apt-repository -y ppa:oisf/suricata-stable
|
||||||
# Install prerequisites and useful tools
|
# Install prerequisites and useful tools
|
||||||
echo "[$(date +%H:%M:%S)]: Running apt-get clean..."
|
echo "[$(date +%H:%M:%S)]: Running apt-get clean..."
|
||||||
@@ -37,15 +37,14 @@ modify_motd() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
test_prerequisites() {
|
test_prerequisites() {
|
||||||
for package in jq whois build-essential git docker docker-compose unzip yq
|
for package in jq whois build-essential git docker docker-compose unzip yq; do
|
||||||
do
|
|
||||||
echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
|
echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
|
||||||
# Loop through each package using dpkg
|
# Loop through each package using dpkg
|
||||||
if ! dpkg -S $package > /dev/null; then
|
if ! dpkg -S $package >/dev/null; then
|
||||||
# If which returns a non-zero return code, try to re-install the package
|
# If which returns a non-zero return code, try to re-install the package
|
||||||
echo "[-] $package was not found. Attempting to reinstall."
|
echo "[-] $package was not found. Attempting to reinstall."
|
||||||
apt-get -qq update && apt-get install -y $package
|
apt-get -qq update && apt-get install -y $package
|
||||||
if ! which $package > /dev/null; then
|
if ! which $package >/dev/null; then
|
||||||
# If the reinstall fails, give up
|
# If the reinstall fails, give up
|
||||||
echo "[X] Unable to install $package even after a retry. Exiting."
|
echo "[X] Unable to install $package even after a retry. Exiting."
|
||||||
exit 1
|
exit 1
|
||||||
@@ -64,8 +63,8 @@ fix_eth1_static_ip() {
|
|||||||
fi
|
fi
|
||||||
if [ -f /sys/class/net/eth2/address ]; then
|
if [ -f /sys/class/net/eth2/address ]; then
|
||||||
if [ "$(cat /sys/class/net/eth2/address)" == "00:50:56:a3:b1:c4" ]; then
|
if [ "$(cat /sys/class/net/eth2/address)" == "00:50:56:a3:b1:c4" ]; then
|
||||||
echo "[*] Using ESXi, no need to change anything"
|
echo "[*] Using ESXi, no need to change anything"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# There's a fun issue where dhclient keeps messing with eth1 despite the fact
|
# There's a fun issue where dhclient keeps messing with eth1 despite the fact
|
||||||
@@ -73,7 +72,7 @@ fix_eth1_static_ip() {
|
|||||||
echo -e 'interface "eth1" {
|
echo -e 'interface "eth1" {
|
||||||
send host-name = gethostname();
|
send host-name = gethostname();
|
||||||
send dhcp-requested-address 192.168.38.105;
|
send dhcp-requested-address 192.168.38.105;
|
||||||
}' >> /etc/dhcp/dhclient.conf
|
}' >>/etc/dhcp/dhclient.conf
|
||||||
netplan apply
|
netplan apply
|
||||||
# Fix eth1 if the IP isn't set correctly
|
# Fix eth1 if the IP isn't set correctly
|
||||||
ETH1_IP=$(ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
|
ETH1_IP=$(ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
|
||||||
@@ -90,6 +89,12 @@ fix_eth1_static_ip() {
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Make sure we do have a DNS resolution
|
||||||
|
while true; do
|
||||||
|
if [ "$(dig +short @8.8.8.8 github.com)" ]; then break; fi
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
install_splunk() {
|
install_splunk() {
|
||||||
@@ -99,9 +104,9 @@ install_splunk() {
|
|||||||
else
|
else
|
||||||
echo "[$(date +%H:%M:%S)]: Installing Splunk..."
|
echo "[$(date +%H:%M:%S)]: Installing Splunk..."
|
||||||
# Get download.splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
|
# Get download.splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
|
||||||
dig @8.8.8.8 download.splunk.com > /dev/null
|
dig @8.8.8.8 download.splunk.com >/dev/null
|
||||||
dig @8.8.8.8 splunk.com > /dev/null
|
dig @8.8.8.8 splunk.com >/dev/null
|
||||||
dig @8.8.8.8 www.splunk.com > /dev/null
|
dig @8.8.8.8 www.splunk.com >/dev/null
|
||||||
|
|
||||||
# Try to resolve the latest version of Splunk by parsing the HTML on the downloads page
|
# Try to resolve the latest version of Splunk by parsing the HTML on the downloads page
|
||||||
echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..."
|
echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..."
|
||||||
@@ -131,15 +136,15 @@ install_splunk() {
|
|||||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme'
|
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme'
|
||||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
|
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
|
||||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
|
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
|
||||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
|
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
|
||||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme'
|
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme'
|
||||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme'
|
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme'
|
||||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
|
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
|
||||||
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme'
|
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme'
|
||||||
|
|
||||||
# Uncomment the following block to install BOTSv2
|
# Uncomment the following block to install BOTSv2
|
||||||
# Thanks to @MHaggis for this addition!
|
# Thanks to @MHaggis for this addition!
|
||||||
# It is recommended to only uncomment the attack-only dataset comment block.
|
# It is recommended to only uncomment the attack-only dataset comment block.
|
||||||
# You may also link to the full dataset which is ~12GB if you prefer.
|
# You may also link to the full dataset which is ~12GB if you prefer.
|
||||||
# More information on BOTSv2 can be found at https://github.com/splunk/botsv2
|
# More information on BOTSv2 can be found at https://github.com/splunk/botsv2
|
||||||
|
|
||||||
@@ -179,7 +184,7 @@ install_splunk() {
|
|||||||
# echo "[$(date +%H:%M:%S)]: Extracting to Splunk Apps directory"
|
# echo "[$(date +%H:%M:%S)]: Extracting to Splunk Apps directory"
|
||||||
# tar zxvf botsv2_data_set.tgz /opt/splunk/etc/apps
|
# tar zxvf botsv2_data_set.tgz /opt/splunk/etc/apps
|
||||||
### FULL DATASET COMMENT BLOCK ENDS ###
|
### FULL DATASET COMMENT BLOCK ENDS ###
|
||||||
|
|
||||||
### BOTSv2 COMMENT BLOCK ENDS ###
|
### BOTSv2 COMMENT BLOCK ENDS ###
|
||||||
|
|
||||||
# Add custom Macro definitions for ThreatHunting App
|
# Add custom Macro definitions for ThreatHunting App
|
||||||
@@ -192,7 +197,7 @@ install_splunk() {
|
|||||||
rm /opt/splunk/etc/apps/force_directed_viz/default/savedsearches.conf
|
rm /opt/splunk/etc/apps/force_directed_viz/default/savedsearches.conf
|
||||||
|
|
||||||
# Add a Splunk TCP input on port 9997
|
# Add a Splunk TCP input on port 9997
|
||||||
echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf
|
echo -e "[splunktcp://9997]\nconnection_host = ip" >/opt/splunk/etc/apps/search/local/inputs.conf
|
||||||
# Add props.conf and transforms.conf
|
# Add props.conf and transforms.conf
|
||||||
cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/
|
cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/
|
||||||
cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/
|
cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/
|
||||||
@@ -204,7 +209,7 @@ install_splunk() {
|
|||||||
echo "[$(date +%H:%M:%S)]: Disabling the Splunk tour prompt..."
|
echo "[$(date +%H:%M:%S)]: Disabling the Splunk tour prompt..."
|
||||||
touch /opt/splunk/etc/.ui_login
|
touch /opt/splunk/etc/.ui_login
|
||||||
mkdir -p /opt/splunk/etc/users/admin/search/local
|
mkdir -p /opt/splunk/etc/users/admin/search/local
|
||||||
echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/system/local/ui-tour.conf
|
echo -e "[search-tour]\nviewed = 1" >/opt/splunk/etc/system/local/ui-tour.conf
|
||||||
# Source: https://answers.splunk.com/answers/660728/how-to-disable-the-modal-pop-up-help-us-to-improve.html
|
# Source: https://answers.splunk.com/answers/660728/how-to-disable-the-modal-pop-up-help-us-to-improve.html
|
||||||
echo '[general]
|
echo '[general]
|
||||||
render_version_messages = 0
|
render_version_messages = 0
|
||||||
@@ -213,7 +218,7 @@ dismissedInstrumentationOptInVersion = 1
|
|||||||
[general_default]
|
[general_default]
|
||||||
hideInstrumentationOptInModal = 1
|
hideInstrumentationOptInModal = 1
|
||||||
showWhatsNew = 0
|
showWhatsNew = 0
|
||||||
notification_python_3_impact = false' > /opt/splunk/etc/system/local/user-prefs.conf
|
notification_python_3_impact = false' >/opt/splunk/etc/system/local/user-prefs.conf
|
||||||
echo '[general]
|
echo '[general]
|
||||||
render_version_messages = 0
|
render_version_messages = 0
|
||||||
hideInstrumentationOptInModal = 1
|
hideInstrumentationOptInModal = 1
|
||||||
@@ -221,12 +226,12 @@ dismissedInstrumentationOptInVersion = 1
|
|||||||
[general_default]
|
[general_default]
|
||||||
hideInstrumentationOptInModal = 1
|
hideInstrumentationOptInModal = 1
|
||||||
showWhatsNew = 0
|
showWhatsNew = 0
|
||||||
notification_python_3_impact = false' > /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
|
notification_python_3_impact = false' >/opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
|
||||||
# Disable the instrumentation popup
|
# Disable the instrumentation popup
|
||||||
echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >> /opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
|
echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >>/opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
|
||||||
|
|
||||||
# Enable SSL Login for Splunk
|
# Enable SSL Login for Splunk
|
||||||
echo -e "[settings]\nenableSplunkWebSSL = true" > /opt/splunk/etc/system/local/web.conf
|
echo -e "[settings]\nenableSplunkWebSSL = true" >/opt/splunk/etc/system/local/web.conf
|
||||||
# Reboot Splunk to make changes take effect
|
# Reboot Splunk to make changes take effect
|
||||||
/opt/splunk/bin/splunk restart
|
/opt/splunk/bin/splunk restart
|
||||||
/opt/splunk/bin/splunk enable boot-start
|
/opt/splunk/bin/splunk enable boot-start
|
||||||
@@ -241,8 +246,8 @@ install_fleet() {
|
|||||||
echo "[$(date +%H:%M:%S)]: Fleet is already installed"
|
echo "[$(date +%H:%M:%S)]: Fleet is already installed"
|
||||||
else
|
else
|
||||||
echo "[$(date +%H:%M:%S)]: Installing Fleet..."
|
echo "[$(date +%H:%M:%S)]: Installing Fleet..."
|
||||||
echo -e "\n127.0.0.1 kolide" >> /etc/hosts
|
echo -e "\n127.0.0.1 kolide" >>/etc/hosts
|
||||||
echo -e "\n127.0.0.1 logger" >> /etc/hosts
|
echo -e "\n127.0.0.1 logger" >>/etc/hosts
|
||||||
cd /opt && git clone https://github.com/kolide/kolide-quickstart.git
|
cd /opt && git clone https://github.com/kolide/kolide-quickstart.git
|
||||||
cd /opt/kolide-quickstart || echo "Something went wrong while trying to clone the kolide-quickstart repository"
|
cd /opt/kolide-quickstart || echo "Something went wrong while trying to clone the kolide-quickstart repository"
|
||||||
cp /vagrant/resources/fleet/server.* .
|
cp /vagrant/resources/fleet/server.* .
|
||||||
@@ -294,8 +299,8 @@ import_osquery_config_into_fleet() {
|
|||||||
# Use fleetctl to import YAML files
|
# Use fleetctl to import YAML files
|
||||||
fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
|
fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
|
||||||
fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
|
fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
|
||||||
for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml
|
for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml; do
|
||||||
do fleetctl apply -f "$pack"
|
fleetctl apply -f "$pack"
|
||||||
done
|
done
|
||||||
|
|
||||||
# Add Splunk monitors for Fleet
|
# Add Splunk monitors for Fleet
|
||||||
@@ -313,7 +318,7 @@ install_zeek() {
|
|||||||
SPLUNK_SURICATA_SOURCETYPE='json_suricata'
|
SPLUNK_SURICATA_SOURCETYPE='json_suricata'
|
||||||
sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
|
sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
|
||||||
wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key
|
wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key
|
||||||
apt-key add - < /tmp/Release.key
|
apt-key add - </tmp/Release.key
|
||||||
# Update APT repositories
|
# Update APT repositories
|
||||||
apt-get -qq -ym update
|
apt-get -qq -ym update
|
||||||
# Install tools to build and configure Zeek
|
# Install tools to build and configure Zeek
|
||||||
@@ -343,7 +348,7 @@ install_zeek() {
|
|||||||
redef Intel::read_files += {
|
redef Intel::read_files += {
|
||||||
"/opt/zeek/etc/intel.dat"
|
"/opt/zeek/etc/intel.dat"
|
||||||
};
|
};
|
||||||
' >> /opt/zeek/share/zeek/site/local.zeek
|
' >>/opt/zeek/share/zeek/site/local.zeek
|
||||||
|
|
||||||
# Configure Zeek
|
# Configure Zeek
|
||||||
crudini --del $NODECFG zeek
|
crudini --del $NODECFG zeek
|
||||||
@@ -367,23 +372,23 @@ install_zeek() {
|
|||||||
mkdir -p $SPLUNK_ZEEK_JSON/local
|
mkdir -p $SPLUNK_ZEEK_JSON/local
|
||||||
cp $SPLUNK_ZEEK_JSON/default/inputs.conf $SPLUNK_ZEEK_JSON/local/inputs.conf
|
cp $SPLUNK_ZEEK_JSON/default/inputs.conf $SPLUNK_ZEEK_JSON/local/inputs.conf
|
||||||
|
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek
|
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json
|
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$'
|
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$'
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$'
|
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$'
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0
|
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
|
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json
|
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
|
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
|
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
|
||||||
crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0
|
crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0
|
||||||
|
|
||||||
# Ensure permissions are correct and restart splunk
|
# Ensure permissions are correct and restart splunk
|
||||||
chown -R splunk $SPLUNK_ZEEK_JSON
|
chown -R splunk $SPLUNK_ZEEK_JSON
|
||||||
/opt/splunk/bin/splunk restart
|
/opt/splunk/bin/splunk restart
|
||||||
|
|
||||||
# Verify that Zeek is running
|
# Verify that Zeek is running
|
||||||
if ! pgrep -f zeek > /dev/null; then
|
if ! pgrep -f zeek >/dev/null; then
|
||||||
echo "Zeek attempted to start but is not running. Exiting"
|
echo "Zeek attempted to start but is not running. Exiting"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
@@ -407,7 +412,7 @@ install_suricata() {
|
|||||||
# update suricata signature sources
|
# update suricata signature sources
|
||||||
suricata-update update-sources
|
suricata-update update-sources
|
||||||
# disable protocol decode as it is duplicative of Zeek
|
# disable protocol decode as it is duplicative of Zeek
|
||||||
echo re:protocol-command-decode >> /etc/suricata/disable.conf
|
echo re:protocol-command-decode >>/etc/suricata/disable.conf
|
||||||
# enable et-open and attackdetection sources
|
# enable et-open and attackdetection sources
|
||||||
suricata-update enable-source et/open
|
suricata-update enable-source et/open
|
||||||
suricata-update enable-source ptresearch/attackdetection
|
suricata-update enable-source ptresearch/attackdetection
|
||||||
@@ -419,22 +424,21 @@ install_suricata() {
|
|||||||
sleep 3
|
sleep 3
|
||||||
|
|
||||||
# Verify that Suricata is running
|
# Verify that Suricata is running
|
||||||
if ! pgrep -f suricata > /dev/null; then
|
if ! pgrep -f suricata >/dev/null; then
|
||||||
echo "Suricata attempted to start but is not running. Exiting"
|
echo "Suricata attempted to start but is not running. Exiting"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
test_suricata_prerequisites() {
|
test_suricata_prerequisites() {
|
||||||
for package in suricata crudini
|
for package in suricata crudini; do
|
||||||
do
|
|
||||||
echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
|
echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
|
||||||
# Loop through each package using dpkg
|
# Loop through each package using dpkg
|
||||||
if ! dpkg -S $package > /dev/null; then
|
if ! dpkg -S $package >/dev/null; then
|
||||||
# If which returns a non-zero return code, try to re-install the package
|
# If which returns a non-zero return code, try to re-install the package
|
||||||
echo "[-] $package was not found. Attempting to reinstall."
|
echo "[-] $package was not found. Attempting to reinstall."
|
||||||
apt-get clean && apt-get -qq update && apt-get install -y $package
|
apt-get clean && apt-get -qq update && apt-get install -y $package
|
||||||
if ! which $package > /dev/null; then
|
if ! which $package >/dev/null; then
|
||||||
# If the reinstall fails, give up
|
# If the reinstall fails, give up
|
||||||
echo "[X] Unable to install $package even after a retry. Exiting."
|
echo "[X] Unable to install $package even after a retry. Exiting."
|
||||||
exit 1
|
exit 1
|
||||||
@@ -451,7 +455,7 @@ install_guacamole() {
|
|||||||
apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
|
apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
|
||||||
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
|
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
|
||||||
tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
|
tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
|
||||||
./configure &> /dev/null && make --quiet &> /dev/null && make --quiet install &> /dev/null || echo "[-] An error occurred while installing Guacamole."
|
./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole."
|
||||||
ldconfig
|
ldconfig
|
||||||
cd /var/lib/tomcat8/webapps
|
cd /var/lib/tomcat8/webapps
|
||||||
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war" -O guacamole.war
|
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war" -O guacamole.war
|
||||||
@@ -470,7 +474,7 @@ install_guacamole() {
|
|||||||
|
|
||||||
postinstall_tasks() {
|
postinstall_tasks() {
|
||||||
# Include Splunk and Zeek in the PATH
|
# Include Splunk and Zeek in the PATH
|
||||||
echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >> ~/.bashrc
|
echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc
|
||||||
# Ping DetectionLab server for usage statistics
|
# Ping DetectionLab server for usage statistics
|
||||||
curl -A "DetectionLab-logger" "https://detectionlab.network/logger"
|
curl -A "DetectionLab-logger" "https://detectionlab.network/logger"
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user