added kali and fixed path for securityonion

2021-08-06 17:06:40 +02:00
parent 70f1922e80
commit ea58df86cc
2 changed files with 385 additions and 6 deletions
--- a/Vagrant/Vagrantfile
+++ b/Vagrant/Vagrantfile
@@ -82,7 +82,6 @@ EOF
    systemctl start default-gateway.service
  SHELL

-
    cfg.vm.provider "virtualbox" do |vb, override|
      vb.gui = false
      vb.name = "logger"
@@ -99,11 +98,11 @@ EOF
  config.vm.define "dc" do |cfg|
    cfg.vm.box = "detectionlab/win2016"
    cfg.vm.hostname = "dc"
-    cfg.vm.boot_timeout = 600
+    cfg.vm.boot_timeout = 1200
    cfg.winrm.transport = :plaintext
    cfg.vm.communicator = "winrm"
    cfg.winrm.basic_auth_only = true
-    cfg.winrm.timeout = 300
+    cfg.winrm.timeout = 1200
    cfg.winrm.retry_limit = 20
    cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1", dns: "8.8.8.8"

@@ -149,10 +148,10 @@ EOF
  config.vm.define "wef" do |cfg|
    cfg.vm.box = "detectionlab/win2016"
    cfg.vm.hostname = "wef"
-    cfg.vm.boot_timeout = 600
+    cfg.vm.boot_timeout = 1200
    cfg.vm.communicator = "winrm"
    cfg.winrm.basic_auth_only = true
-    cfg.winrm.timeout = 300
+    cfg.winrm.timeout = 1200
    cfg.winrm.retry_limit = 20
    cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"

@@ -236,6 +235,50 @@ EOF
    end
  end

+  config.vm.define "kali", autostart: false do |cfg|
+    cfg.vm.box = "kalilinux/rolling"
+    cfg.vm.hostname = "kali"
+    cfg.vm.network :private_network, ip: "192.168.38.20", gateway: "192.168.38.1", dns: "8.8.8.8"
+    cfg.vm.network :private_network, ip: "192.168.39.20", gateway: "192.168.39.1", dns: "8.8.8.8"
+
+    cfg.vm.provision "shell", run: "always", inline: <<-SHELL
+      route del default gw 10.0.2.2
+      route add default gw 192.168.38.2
+    SHELL
+    cfg.vm.provision "shell", inline: <<-SHELL
+    export DEBIAN_FRONTEND=noninteractive
+    cat <<-'EOF' >/opt/default-gateway.sh
+#!/bin/bash
+route del default gw 10.0.2.2
+route add default gw 192.168.38.2
+EOF
+    cat <<-'EOF' >/etc/systemd/system/default-gateway.service
+[Unit]
+After=network.service
+Description=default-gateway
+
+[Service]
+Type=simple
+ExecStart=/opt/default-gateway.sh
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    chmod 744 /opt/default-gateway.sh
+    chmod 664 /etc/systemd/system/default-gateway.service
+    systemctl daemon-reload
+    systemctl enable default-gateway.service
+    systemctl start default-gateway.service
+  SHELL
+
+    cfg.vm.provider "virtualbox" do |vb|
+      vb.name = "kali"
+      vb.gui = false 
+      vb.cpus = 2
+      vb.memory = "4096"
+    end
+  end
+
  config.vm.define "securityonion", autostart: false do |cfg|
    cfg.vm.box = "ubuntu/trusty64"
    cfg.vm.hostname = "securityonion"
@@ -260,7 +303,7 @@ EOF
      apt-get -y install securityonion-all syslog-ng-core
      apt-get -y autoremove
      apt-get clean
-      sosetup -y -f /vagrant/sosetup.conf
+      sosetup -y -f /vagrant/resources/securityonion/sosetup.conf
      ufw allow 443/tcp
    SHELL
  end
--- a/Vagrant/resources/securityonion/sosetup.conf
+++ b/Vagrant/resources/securityonion/sosetup.conf
@@ -0,0 +1,336 @@
+################################
+# sosetup.conf
+################################
+# This file can be used to automate sosetup.
+#
+# Copy this example file to your home directory:
+# cp /usr/share/securityonion/sosetup.conf ~
+#
+# Edit your new sosetup.conf:
+# nano ~/sosetup.conf
+#
+# Run Setup with the -f switch and the path to this file:
+# sudo sosetup -f ~/sosetup.conf
+
+################################
+# Management Interface
+################################
+# MGMT_INTERFACE
+# Which network interface should be the management interface?
+# The management interface has an IP address and is NOT used for sniffing.
+# We recommend that you always make this eth0 if possible for consistency.
+MGMT_INTERFACE='eth2'
+
+# MGMT_CONFIG_TYPE
+# Should the management interface be configured using DHCP or static IP?
+# We recommend using static IP whenever possible.
+MGMT_CONFIG_TYPE='static'
+# MGMT_CONFIG_TYPE='DHCP'
+
+# If MGMT_CONFIG_TYPE=static, then provide the details here:
+ADDRESS='192.168.39.10'
+NETMASK='255.255.255.0'
+GATEWAY='192.168.39.1'
+NAMESERVER='192.168.39.1'
+DOMAIN='example.com'
+
+################################
+# Sniffing interface(s)
+################################
+# Which interface(s) will be sniffing network traffic?
+# For multiple interfaces, please separate them with spaces.
+# For example:
+# SNIFFING_INTERFACES='eth1 eth2'
+SNIFFING_INTERFACES='eth0 eth1'
+
+################################
+# Master Server
+################################
+
+# SERVER
+# If set to 1, then this box will be a Master server:
+# SERVER=1
+# If set to 0, then this box will connect to a separate Master server:
+# SERVER=0
+SERVER=1
+
+# SERVERNAME
+# If SERVER=1, then this should be 'localhost':
+# SERVERNAME='localhost'
+# If SERVER=0, then this should be the name/IP of the separate Master server:
+# SERVERNAME='sguilserver.example.com'
+SERVERNAME='localhost'
+
+# SSH_USERNAME
+# If SERVER=0, then this should be the name of an
+# account on the separate Master server that has sudo privileges.
+# sudo privileges can be revoked after sosetup is complete.
+# SSH_USERNAME='sensor1'
+SSH_USERNAME=''
+
+# SGUIL_SERVER_NAME
+# If SERVER=1, then this is the name of the Sguil server we'll create.
+# You probably shouldn't change this value.
+SGUIL_SERVER_NAME='securityonion'
+
+# SGUIL_CLIENT_USERNAME
+# If SERVER=1, then this is the username that we'll create
+# for Sguil/Squert/ELSA.
+# Please use alphanumeric characters only!
+SGUIL_CLIENT_USERNAME='vagrant'
+
+# SGUIL_CLIENT_PASSWORD_1
+# If SERVER=1, then this is the password that we'll create
+# for Sguil/Squert/ELSA.
+# If you set a password here, you may want to change it later and/or
+# shred this file.
+SGUIL_CLIENT_PASSWORD_1='vagrant'
+
+################################
+# Master server services
+################################
+# If SERVER=0, then no server services will run.
+# If SERVER=1, then the following services can be enabled/disabled.
+
+# Do you want to run Xplico?  yes/no
+XPLICO_ENABLED='no'
+
+################################
+# ELSA
+################################
+
+# ELSA
+# If set to YES, then this box will run ELSA components:
+# ELSA=YES
+# If set to NO, then this box will not run ELSA components:
+# ELSA=NO
+# If you want to run ELSA, then you should enable this setting on every box in your deployment.
+ELSA=YES
+
+# UPDATE_ELSA_SERVER
+# If SERVER=0, then the server's elsa_web.conf will need
+# to be updated and Apache restarted for it to recognize
+# this new ELSA node.  Restarting Apache will interrupt
+# any running ELSA queries.
+# To automatically update the server's elsa_web.conf and 
+# restart Apache, set this option to 'YES':
+# UPDATE_ELSA_SERVER='YES'
+# If you'd rather update the server's elsa_web.conf yourself
+# and manually restart Apache, set this option to 'NO':
+# UPDATE_ELSA_SERVER='NO'
+UPDATE_ELSA_SERVER='YES'
+
+# LOG_SIZE_LIMIT
+# This setting controls how much disk space ELSA uses.
+# 10TB = 10000000000000
+# LOG_SIZE_LIMIT='10000000000000'
+# 1TB = 1000000000000
+# LOG_SIZE_LIMIT='1000000000000'
+# 100GB = 100000000000
+# LOG_SIZE_LIMIT='100000000000'
+# 10GB = 10000000000
+LOG_SIZE_LIMIT='10000000000'
+
+################################
+# Enable/disable services
+################################
+
+# The OSSEC agent sends OSSEC HIDS alerts into the Sguil database.
+# Do you want to run the OSSEC Agent?  yes/no
+OSSEC_AGENT_ENABLED='no'
+
+# OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild.
+OSSEC_AGENT_LEVEL='5'
+
+# Salt allows you to manage your entire Security Onion deployment
+# as one cohesive whole.  It provides configuration management
+# and remote code execution.
+# Do you want to enable Salt?  yes/no
+SALT='no'
+
+################################
+# Sensor components
+################################
+# SENSOR
+# If set to 1, then this box will run sensor components and sniff ethernet interfaces:
+# SENSOR=1
+# If set to 0, then this box will not run sensor components:
+# SENSOR=0
+SENSOR=1
+
+################################
+# Enable/disable sensor services
+################################
+# If SENSOR=0, then no sensor services will run.
+# If SENSOR=1, then the following services can be enabled/disabled.
+
+# BRO_ENABLED
+# Do you want to run Bro?  yes/no
+BRO_ENABLED='yes'
+
+# IDS_ENGINE_ENABLED
+# Do you want to run an IDS engine (Snort/Suricata)?  yes/no
+IDS_ENGINE_ENABLED='yes'
+
+# SNORT_AGENT_ENABLED
+# Do you want to run the Snort agent?  yes/no
+# The Snort agent sends Snort IDS alerts to the Sguil database.
+SNORT_AGENT_ENABLED='yes'
+
+# BARNYARD2_ENABLED
+# Do you want to run Barnyard2?  yes/no
+# Barnyard2 sends IDS alerts from Snort/Suricata to
+# Sguil's Snort agent and syslog (ELSA).
+BARNYARD2_ENABLED='yes'
+
+# PCAP_ENABLED
+# Do you want to run full packet capture?  yes/no
+PCAP_ENABLED='yes'
+
+# PCAP_AGENT_ENABLED
+# Do you want to run Sguil's pcap_agent?  yes/no
+# The pcap_agent allows Sguil to access the pcap store.
+PCAP_AGENT_ENABLED='yes'
+
+# PRADS_ENABLED
+# Do you want to run Prads?  yes/no
+# Prads writes session data and asset data.
+# Bro provides the same data types plus more, so most
+# folks don't run Prads.
+PRADS_ENABLED='no'
+
+# SANCP_AGENT_ENABLED
+# Do you want to run the sancp_agent?  yes/no
+# sancp_agent sends session data from Prads to Sguil.
+SANCP_AGENT_ENABLED='no'
+
+# PADS_AGENT_ENABLED
+# Do you want to run the pads_agent?  yes/no
+# pads_agent sends asset data from Prads to Sguil.
+PADS_AGENT_ENABLED='no'
+
+# HTTP_AGENT_ENABLED
+# Do you want to run the http_agent?  yes/no
+# http_agent sends http logs from Bro to Sguil.
+# If you're running ELSA, then you probably want to disable this.
+HTTP_AGENT_ENABLED='no'
+
+# ARGUS_ENABLED
+# Do you want to run Argus?  yes/no
+# Argus writes session data, also provided by Bro and Prads.
+# Most folks don't run Argus.
+ARGUS_ENABLED='no'
+
+################################
+# Rules
+################################
+
+# IDS_RULESET
+# This setting is only necessary on a master server.
+# Sensors automatically inherit ruleset from the master server.
+# Which IDS ruleset would you like to use?
+# Emerging Threats Open (no oinkcode required):
+# ETOPEN
+# Emerging Threats PRO (requires ETPRO oinkcode):
+# ETPRO
+# Sourcefire VRT (requires VRT oinkcode):
+# VRT
+# VRT and ET (requires VRT oinkcode):
+# VRTET
+IDS_RULESET='ETOPEN'
+
+# OINKCODE
+# This setting is only necessary on a master server.
+# Sensors automatically inherit ruleset from the master server.
+# If you're running VRT or ETPRO rulesets, you'll need to supply your
+# oinkcode here.
+OINKCODE=''
+
+################################
+# PF_RING Config
+################################
+
+# PF_RING_SLOTS
+# The default is 4096.
+# High traffic networks may need to increase this.
+PF_RING_SLOTS=4096
+
+################################
+# IDS Config
+################################
+
+# IDS_ENGINE
+# Which IDS engine would you like to run?  snort/suricata
+# Whatever you choose here will apply to the master server
+# and then sensors inherit this setting from the master server.
+# To run Snort:
+# IDS_ENGINE='snort'
+# To run Suricata:
+# IDS_ENGINE='suricata'
+IDS_ENGINE='snort'
+
+# IDS_LB_PROCS
+# How many PF_RING load-balanced processes would you like to run?
+# This value should be lower than your number of CPU cores.
+IDS_LB_PROCS='1'
+
+# HOME_NET
+# Setup by default configures Snort/Suricata's HOME_NET variable
+# as RFC 1918 (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12).
+# If you wish to provide a custom value, enter it below,
+# ensuring a comma is placed after each range, with no spaces in between.
+# Ex. HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12'
+HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12'
+
+################################
+# Bro Config
+################################
+
+# BRO_LB_PROCS
+# How many PF_RING load-balanced processes would you like Bro to run?
+# This value should be lower than your number of CPU cores.
+BRO_LB_PROCS='1'
+
+# EXTRACT_FILES
+# Do you want Bro to automatically extract Windows EXEs and write them to disk?  yes/no
+EXTRACT_FILES='yes'
+
+################################
+# PCAP Config
+################################
+
+# PCAP_SIZE
+# How large do you want your pcap files to be?
+# The default is 150MB.
+PCAP_SIZE='150'
+
+# PCAP_RING_SIZE
+# How big of a ring buffer should be allocated for netsniff-ng?
+# The default is 64MB.
+PCAP_RING_SIZE='64'
+
+# PCAP_OPTIONS
+# The default option here of '-c' is intended for low-volume environments.
+# If monitoring lots of traffic, you will want to remove the -c to use
+# netsniff-ng's default scatter/gather I/O or consider netsniff-ng's --mmap option.
+PCAP_OPTIONS='-c'
+
+################################
+# Maintenance
+################################
+
+# WARN_DISK_USAGE
+# Begin warning when disk usage reaches this level
+WARN_DISK_USAGE='80'
+
+# CRIT_DISK_USAGE
+# Begin purging old files when disk usage reaches this level
+CRIT_DISK_USAGE='90'
+
+# DAYSTOKEEP
+# Only applies to Sguil database ('securityonion_db')
+DAYSTOKEEP='30'
+
+# DAYSTOREPAIR
+# Only applies to Sguil database ('securityonion_db')
+DAYSTOREPAIR='7'