trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Make sure we have a DNS resolution when calling fix_eth1_static_ip.

Browse Source
This commit is contained in:
Ahmed Shawky
2020-03-13 11:00:07 +04:00
parent 306ddf7540
commit c351643c8c
1 changed files with 56 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
Vagrant/bootstrap.sh
View File

@@ -1,8 +1,8 @@
#! /bin/bash
export DEBIAN_FRONTEND=noninteractive
echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections;
echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections;
echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections
echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections
sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt bionic main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-security main restricted universe multiverse" /etc/apt/sources.list
@@ -12,7 +12,7 @@ apt_install_prerequisites() {
add-apt-repository -y ppa:apt-fast/stable
# Add repository for yq
add-apt-repository -y ppa:rmescandon/yq
 # Add repository for suricata
 # Add repository for suricata
add-apt-repository -y ppa:oisf/suricata-stable
# Install prerequisites and useful tools
echo "[$(date +%H:%M:%S)]: Running apt-get clean..."
@@ -37,15 +37,14 @@ modify_motd() {
}
test_prerequisites() {
for package in jq whois build-essential git docker docker-compose unzip yq
do
for package in jq whois build-essential git docker docker-compose unzip yq; do
echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
# Loop through each package using dpkg
if ! dpkg -S $package > /dev/null; then
if ! dpkg -S $package >/dev/null; then
# If which returns a non-zero return code, try to re-install the package
echo "[-] $package was not found. Attempting to reinstall."
apt-get -qq update && apt-get install -y $package
if ! which $package > /dev/null; then
if ! which $package >/dev/null; then
# If the reinstall fails, give up
echo "[X] Unable to install $package even after a retry. Exiting."
exit 1
@@ -64,8 +63,8 @@ fix_eth1_static_ip() {
fi
if [ -f /sys/class/net/eth2/address ]; then
if [ "$(cat /sys/class/net/eth2/address)" == "00:50:56:a3:b1:c4" ]; then
echo "[*] Using ESXi, no need to change anything"
return 0
echo "[*] Using ESXi, no need to change anything"
return 0
fi
fi
# There's a fun issue where dhclient keeps messing with eth1 despite the fact
@@ -73,7 +72,7 @@ fix_eth1_static_ip() {
echo -e 'interface "eth1" {
send host-name = gethostname();
send dhcp-requested-address 192.168.38.105;
}' >> /etc/dhcp/dhclient.conf
}' >>/etc/dhcp/dhclient.conf
netplan apply
# Fix eth1 if the IP isn't set correctly
ETH1_IP=$(ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
@@ -90,6 +89,12 @@ fix_eth1_static_ip() {
exit 1
fi
fi
# Make sure we do have a DNS resolution
while true; do
if [ "$(dig +short @8.8.8.8 github.com)" ]; then break; fi
sleep 1
done
}
install_splunk() {
@@ -99,9 +104,9 @@ install_splunk() {
else
echo "[$(date +%H:%M:%S)]: Installing Splunk..."
# Get download.splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
dig @8.8.8.8 download.splunk.com > /dev/null
dig @8.8.8.8 splunk.com > /dev/null
dig @8.8.8.8 www.splunk.com > /dev/null
dig @8.8.8.8 download.splunk.com >/dev/null
dig @8.8.8.8 splunk.com >/dev/null
dig @8.8.8.8 www.splunk.com >/dev/null
# Try to resolve the latest version of Splunk by parsing the HTML on the downloads page
echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..."
@@ -131,11 +136,11 @@ install_splunk() {
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme'
# Uncomment the following block to install BOTSv2
# Thanks to @MHaggis for this addition!
@@ -192,7 +197,7 @@ install_splunk() {
rm /opt/splunk/etc/apps/force_directed_viz/default/savedsearches.conf
# Add a Splunk TCP input on port 9997
echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf
echo -e "[splunktcp://9997]\nconnection_host = ip" >/opt/splunk/etc/apps/search/local/inputs.conf
# Add props.conf and transforms.conf
cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/
cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/
@@ -204,7 +209,7 @@ install_splunk() {
echo "[$(date +%H:%M:%S)]: Disabling the Splunk tour prompt..."
touch /opt/splunk/etc/.ui_login
mkdir -p /opt/splunk/etc/users/admin/search/local
echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/system/local/ui-tour.conf
echo -e "[search-tour]\nviewed = 1" >/opt/splunk/etc/system/local/ui-tour.conf
# Source: https://answers.splunk.com/answers/660728/how-to-disable-the-modal-pop-up-help-us-to-improve.html
echo '[general]
render_version_messages = 0
@@ -213,7 +218,7 @@ dismissedInstrumentationOptInVersion = 1
[general_default]
hideInstrumentationOptInModal = 1
showWhatsNew = 0
notification_python_3_impact = false' > /opt/splunk/etc/system/local/user-prefs.conf
notification_python_3_impact = false' >/opt/splunk/etc/system/local/user-prefs.conf
echo '[general]
render_version_messages = 0
hideInstrumentationOptInModal = 1
@@ -221,12 +226,12 @@ dismissedInstrumentationOptInVersion = 1
[general_default]
hideInstrumentationOptInModal = 1
showWhatsNew = 0
notification_python_3_impact = false' > /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
# Disable the instrumentation popup
echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >> /opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
notification_python_3_impact = false' >/opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
# Disable the instrumentation popup
echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >>/opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
# Enable SSL Login for Splunk
echo -e "[settings]\nenableSplunkWebSSL = true" > /opt/splunk/etc/system/local/web.conf
echo -e "[settings]\nenableSplunkWebSSL = true" >/opt/splunk/etc/system/local/web.conf
# Reboot Splunk to make changes take effect
/opt/splunk/bin/splunk restart
/opt/splunk/bin/splunk enable boot-start
@@ -241,8 +246,8 @@ install_fleet() {
echo "[$(date +%H:%M:%S)]: Fleet is already installed"
else
echo "[$(date +%H:%M:%S)]: Installing Fleet..."
echo -e "\n127.0.0.1 kolide" >> /etc/hosts
echo -e "\n127.0.0.1 logger" >> /etc/hosts
echo -e "\n127.0.0.1 kolide" >>/etc/hosts
echo -e "\n127.0.0.1 logger" >>/etc/hosts
cd /opt && git clone https://github.com/kolide/kolide-quickstart.git
cd /opt/kolide-quickstart || echo "Something went wrong while trying to clone the kolide-quickstart repository"
cp /vagrant/resources/fleet/server.* .
@@ -294,8 +299,8 @@ import_osquery_config_into_fleet() {
# Use fleetctl to import YAML files
fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml
do fleetctl apply -f "$pack"
for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml; do
fleetctl apply -f "$pack"
done
# Add Splunk monitors for Fleet
@@ -313,7 +318,7 @@ install_zeek() {
SPLUNK_SURICATA_SOURCETYPE='json_suricata'
sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key
apt-key add - < /tmp/Release.key
apt-key add - </tmp/Release.key
# Update APT repositories
apt-get -qq -ym update
# Install tools to build and configure Zeek
@@ -343,7 +348,7 @@ install_zeek() {
redef Intel::read_files += {
"/opt/zeek/etc/intel.dat"
};
' >> /opt/zeek/share/zeek/site/local.zeek
' >>/opt/zeek/share/zeek/site/local.zeek
# Configure Zeek
crudini --del $NODECFG zeek
@@ -367,23 +372,23 @@ install_zeek() {
mkdir -p $SPLUNK_ZEEK_JSON/local
cp $SPLUNK_ZEEK_JSON/default/inputs.conf $SPLUNK_ZEEK_JSON/local/inputs.conf
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$'
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$'
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$'
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$'
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0
# Ensure permissions are correct and restart splunk
chown -R splunk $SPLUNK_ZEEK_JSON
/opt/splunk/bin/splunk restart
# Verify that Zeek is running
if ! pgrep -f zeek > /dev/null; then
if ! pgrep -f zeek >/dev/null; then
echo "Zeek attempted to start but is not running. Exiting"
exit 1
fi
@@ -407,7 +412,7 @@ install_suricata() {
# update suricata signature sources
suricata-update update-sources
# disable protocol decode as it is duplicative of Zeek
echo re:protocol-command-decode >> /etc/suricata/disable.conf
echo re:protocol-command-decode >>/etc/suricata/disable.conf
# enable et-open and attackdetection sources
suricata-update enable-source et/open
suricata-update enable-source ptresearch/attackdetection
@@ -419,22 +424,21 @@ install_suricata() {
sleep 3
# Verify that Suricata is running
if ! pgrep -f suricata > /dev/null; then
if ! pgrep -f suricata >/dev/null; then
echo "Suricata attempted to start but is not running. Exiting"
exit 1
fi
}
test_suricata_prerequisites() {
for package in suricata crudini
do
for package in suricata crudini; do
echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
# Loop through each package using dpkg
if ! dpkg -S $package > /dev/null; then
if ! dpkg -S $package >/dev/null; then
# If which returns a non-zero return code, try to re-install the package
echo "[-] $package was not found. Attempting to reinstall."
apt-get clean && apt-get -qq update && apt-get install -y $package
if ! which $package > /dev/null; then
if ! which $package >/dev/null; then
# If the reinstall fails, give up
echo "[X] Unable to install $package even after a retry. Exiting."
exit 1
@@ -451,7 +455,7 @@ install_guacamole() {
apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
./configure &> /dev/null && make --quiet &> /dev/null && make --quiet install &> /dev/null || echo "[-] An error occurred while installing Guacamole."
./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole."
ldconfig
cd /var/lib/tomcat8/webapps
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war" -O guacamole.war
@@ -470,7 +474,7 @@ install_guacamole() {
postinstall_tasks() {
# Include Splunk and Zeek in the PATH
echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >> ~/.bashrc
echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc
# Ping DetectionLab server for usage statistics
curl -A "DetectionLab-logger" "https://detectionlab.network/logger"
}